Document the need for quotes on pg secret port value

Co-authored-by: Aurelien Potin <aurelien.potin@michelin.com>

.github/CODE_OF_CONDUCT.md

@@ -0,0 +1,3 @@
+# Community Code of Conduct
+
+Please see the official [Ansible Community Code of Conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html).

.github/ISSUE_TEMPLATE/bug_report.md

@@ -1,39 +0,0 @@
----
-name: Bug report
-about: Create a report to help us improve
-title: ''
-labels: ''
-assignees: ''
-
----
-
-##### ISSUE TYPE
- - Bug Report
-
-##### SUMMARY
-<!-- Briefly describe the problem. -->
-
-##### ENVIRONMENT
-* AWX version: X.Y.Z
-* Operator version: X.Y.Z
-* Kubernetes version: 
-* AWX install method: openshift, minishift, docker on linux, docker for mac, boot2docker
-
-##### STEPS TO REPRODUCE
-
-<!-- Please describe exactly how to reproduce the problem. -->
-
-##### EXPECTED RESULTS
-
-<!-- What did you expect to happen when running the steps above? -->
-
-##### ACTUAL RESULTS
-
-<!-- What actually happened? -->
-
-##### ADDITIONAL INFORMATION
-
-<!-- Include any links to sosreport, database dumps, screenshots or other
-information. -->
-
-##### AWX-OPERATOR LOGS

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -0,0 +1,125 @@
+---
+name: Bug Report
+description: "🐞 Create a report to help us improve"
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Bug Report issues are for **concrete, actionable bugs** only.
+        For debugging help or technical support, please see the [Get Involved section of our README](https://github.com/ansible/awx-operator#get-involved)
+
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Please confirm the following
+      options:
+        - label: I agree to follow this project's [code of conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html).
+          required: true
+        - label: I have checked the [current issues](https://github.com/ansible/awx-operator/issues) for duplicates.
+          required: true
+        - label: I understand that the AWX Operator is open source software provided for free and that I might not receive a timely response.
+          required: true
+
+  - type: textarea
+    id: summary
+    attributes:
+      label: Bug Summary
+      description: Briefly describe the problem.
+    validations:
+      required: false
+
+  - type: input
+    id: awx-operator-version
+    attributes:
+      label: AWX Operator version
+      description: What version of the AWX Operator are you running?
+    validations:
+      required: true
+
+  - type: input
+    id: awx-version
+    attributes:
+      label: AWX version
+      description: What version of AWX are you running?
+    validations:
+      required: true
+
+  - type: dropdown
+    id: platform
+    attributes:
+      label: Kubernetes platform
+      description: What platform did you install the Operator in?
+      multiple: false
+      options:
+        - kubernetes
+        - minikube
+        - openshift
+        - minishift
+        - docker development environment
+        - other (please specify in additional information)
+    validations:
+      required: true
+
+  - type: input
+    id: kube-version
+    attributes:
+      label: Kubernetes/Platform version
+      description: What version of your platform/kuberneties are you using?
+    validations:
+      required: true
+
+  - type: dropdown
+    id: modified-architecture
+    attributes:
+      label: Modifications
+      description: >-
+       Have you modified the installation, deployment topology, or container images in any way? If yes, please
+       explain in the "additional information" field at the bottom of the form.
+      multiple: false
+      options:
+        - "no"
+        - "yes"
+    validations:
+      required: true
+
+  - type: textarea
+    id: steps-to-reproduce
+    attributes:
+      label: Steps to reproduce
+      description: >-
+        Starting from a new installation of the system, describe exactly how a developer or quality engineer can reproduce the bug
+        on infrastructure that isn't yours. Include any and all resources created, input values, test users, roles assigned, playbooks used, etc.
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected-results
+    attributes:
+      label: Expected results
+      description: What did you expect to happpen when running the steps above?
+    validations:
+      required: true
+
+  - type: textarea
+    id: actual-results
+    attributes:
+      label: Actual results
+      description: What actually happened?
+    validations:
+      required: true
+
+  - type: textarea
+    id: additional-information
+    attributes:
+      label: Additional information
+      description: Include any relevant log output, links to sosreport, database dumps, screenshots, AWX spec yaml, or other information.
+    validations:
+      required: false
+
+  - type: textarea
+    id: operator-logs
+    attributes:
+      label: Operator Logs
+      description: Include any relevant logs generated by the operator.
+    validations:
+      required: false

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,12 @@
+---
+blank_issues_enabled: false
+contact_links:
+  - name: For debugging help or technical support
+    url: https://github.com/ansible/awx-operator#get-involved
+    about: For general debugging or technical support please see the Get Involved section of our readme.
+  - name: 📝 Ansible Code of Conduct
+    url: https://docs.ansible.com/ansible/latest/community/code_of_conduct.html?utm_medium=github&utm_source=issue_template_chooser
+    about: AWX uses the Ansible Code of Conduct; ❤ Be nice to other members of the community. ☮ Behave.
+  - name: 💼 For Enterprise
+    url: https://www.ansible.com/products/engine?utm_medium=github&utm_source=issue_template_chooser
+    about: Red Hat offers support for the Ansible Automation Platform

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -0,0 +1,29 @@
+---
+name: ✨ Feature request
+description: Suggest an idea for this project
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Feature Request issues are for **feature requests** only.
+        For debugging help or technical support, please see the [Get Involved section of our README](https://github.com/ansible/awx-operator#get-involved)
+
+  - type: checkboxes
+    id: terms
+    attributes:
+      label: Please confirm the following
+      options:
+        - label: I agree to follow this project's [code of conduct](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html).
+          required: true
+        - label: I have checked the [current issues](https://github.com/ansible/awx-operator/issues) for duplicates.
+          required: true
+        - label: I understand that AWX Operator is open source software provided for free and that I might not receive a timely response.
+          required: true
+
+  - type: textarea
+    id: summary
+    attributes:
+      label: Feature Summary
+      description: Briefly describe the desired enhancement.
+    validations:
+      required: true

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,26 @@
+##### SUMMARY
+<!--- Describe the change, including rationale and design decisions -->
+
+<!---
+If you are fixing an existing issue, please include "fixes #nnn" in your
+commit message and your description; but you should still explain what
+the change does.
+-->
+
+##### ISSUE TYPE
+<!--- Pick one below and delete the rest: -->
+ - Breaking Change 
+ - New or Enhanced Feature
+ - Bug, Docs Fix or other nominal change
+
+##### ADDITIONAL INFORMATION
+<!---
+Include additional information to help people understand the change here.
+For bugs that don't have a linked bug report, a step-by-step reproduction
+of the problem is helpful.
+-->
+
+<!--- Paste verbatim command output below, e.g. before and after your change -->
+```
+
+```

.github/workflows/ci.yaml

@@ -11,7 +11,7 @@ on:
 
 jobs:
   molecule:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     name: molecule
     env:
       DOCKER_API_VERSION: "1.38"
@@ -40,7 +40,7 @@ jobs:
           make kustomize
           KUSTOMIZE_PATH=$(readlink -f bin/kustomize) molecule test -s kind
   helm:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     name: helm
     steps:
       - uses: actions/checkout@v2
@@ -60,7 +60,40 @@ jobs:
           kustomize edit add patch --path ../testing/pull_policy/Never.yaml
         working-directory: config/default
 
-      - name: Build and install helm chart
+      - name: Build and lint helm chart
         run: |
           IMG=awx-operator-ci make helm-chart
-          helm install --wait my-awx-operator ./charts/awx-operator
+          helm lint ./charts/awx-operator
+
+      - name: Install kubeval
+        run: |
+          mkdir tmp && cd tmp
+          wget https://github.com/instrumenta/kubeval/releases/latest/download/kubeval-linux-amd64.tar.gz
+          tar xf kubeval-linux-amd64.tar.gz
+          sudo cp kubeval /usr/local/bin
+        working-directory: ./charts
+
+      - name: Run kubeval
+        run: |
+          helm template -n awx awx-operator > tmp/test.yaml
+          kubeval --strict --force-color --ignore-missing-schemas tmp/test.yaml
+        working-directory: ./charts
+
+      - name: Install helm chart
+        run: |
+          helm install --wait my-awx-operator --namespace awx --create-namespace ./charts/awx-operator
+  no-log:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout sources
+        uses: actions/checkout@v2
+
+      - name: Check no_log statements
+        run: |
+          set +e
+          no_log=$(grep -nr ' no_log:' roles | grep -v '"{{ no_log }}"')
+          if [ -n "${no_log}" ]; then
+            echo 'Please update the following no_log statement(s) with the "{{ no_log }}" value'
+            echo "${no_log}"
+            exit 1
+          fi

.github/workflows/devel.yaml

@@ -8,7 +8,7 @@ on:
 
 jobs:
   release:
-    runs-on: ubuntu-18.04
+    runs-on: ubuntu-latest
     name: Push devel image
     steps:
       - uses: actions/checkout@v2

.github/workflows/feature.yml

@@ -0,0 +1,75 @@
+---
+
+name: Feature Branch Image Build and Push
+
+on:
+  push:
+    branches: [feature_*]
+
+jobs:
+  release:
+    runs-on: ubuntu-18.04
+    name: Push devel image
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0  # needed so that git describe --tag works
+
+      - name: Set VERSION
+        run: |
+          echo "VERSION=$(git describe --tags)" >>${GITHUB_ENV}
+
+      - name: Set lower case owner name
+        run: |
+          echo "OWNER_LC=${OWNER,,}" >>${GITHUB_ENV}
+        env:
+          OWNER: '${{ github.repository_owner }}'
+
+      - name: Set IMAGE_TAG_BASE
+        run: |
+          echo "IMAGE_TAG_BASE=ghcr.io/${OWNER_LC}/awx-operator" >>${GITHUB_ENV}
+
+      - name: Set ARCH environment variable
+        run: |
+          echo "ARCH=$(case $(uname -m) in x86_64) echo -n amd64 ;; aarch64) echo -n arm64 ;; *) echo -n $(uname -m) ;; esac)" >>${GITHUB_ENV}
+
+      - name: Set OS environment variable
+        run: |
+          echo "OS=$(uname | awk '{print tolower($0)}')" >>${GITHUB_ENV}
+
+      - name: Install operator-sdk
+        run: |
+          echo "Installing operator-sdk ${OPERATOR_SDK_DL_URL}" && \
+          curl -LO ${OPERATOR_SDK_DL_URL}/operator-sdk_${OS}_${ARCH} && \
+          chmod +x operator-sdk_${OS}_${ARCH} && \
+          sudo mkdir -p /usr/local/bin/ && \
+          sudo mv operator-sdk_${OS}_${ARCH} /usr/local/bin/operator-sdk && \
+          operator-sdk version
+        env:
+          OPERATOR_SDK_DL_URL: https://github.com/operator-framework/operator-sdk/releases/download/v1.26.0
+
+      - name: Log in to registry
+        run: |
+          echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+      - name: Build and Push awx-operator Image
+        run: |
+          make docker-build docker-push
+          docker tag ${IMAGE_TAG_BASE}:${VERSION} ${IMAGE_TAG_BASE}:${GITHUB_REF##*/}
+          docker push ${IMAGE_TAG_BASE}:${GITHUB_REF##*/}
+
+      - name: Build bundle manifests
+        run: |
+          make bundle
+
+      - name: Build and Push awx-operator Bundle
+        run: |
+          make bundle-build bundle-push
+          docker tag ${IMAGE_TAG_BASE}-bundle:v${VERSION} ${IMAGE_TAG_BASE}-bundle:${GITHUB_REF##*/}
+          docker push ${IMAGE_TAG_BASE}-bundle:${GITHUB_REF##*/}
+
+      - name: Build and Push awx-operator Catalog
+        run: |
+          make catalog-build catalog-push
+          docker tag ${IMAGE_TAG_BASE}-catalog:v${VERSION} ${IMAGE_TAG_BASE}-catalog:${GITHUB_REF##*/}
+          docker push ${IMAGE_TAG_BASE}-catalog:${GITHUB_REF##*/}

.github/workflows/label_issue.yml

@@ -0,0 +1,54 @@
+---
+name: Label Issues
+
+on:
+  issues:
+    types:
+      - opened
+      - reopened
+
+jobs:
+  triage:
+    runs-on: ubuntu-latest
+    name: Label
+
+    steps:
+      - name: Label Issue - Needs Triage
+        uses: github/issue-labeler@v2.4.1
+        with:
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"
+          not-before: 2021-12-07T07:00:00Z
+          configuration-path: .github/issue_labeler.yml
+          enable-versioned-regex: 0
+        if: github.event_name == 'issues'
+
+  community:
+    runs-on: ubuntu-latest
+    name: Label Issue - Community
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v4
+      - name: Install python requests
+        run: pip install requests
+      - name: Check if user is a member of Ansible org
+        uses: jannekem/run-python-script-action@v1
+        id: check_user
+        with:
+          script: |
+            import requests
+            headers = {'Accept': 'application/vnd.github+json', 'Authorization': 'token ${{ secrets.GITHUB_TOKEN }}'}
+            response = requests.get('${{ fromJson(toJson(github.event.issue.user.url)) }}/orgs?per_page=100', headers=headers)
+            is_member = False
+            for org in response.json():
+              if org['login'] == 'ansible':
+                is_member = True
+            if is_member:
+                print("User is member")
+            else:
+                print("User is community")
+      - name: Add community label if not a member
+        if: contains(steps.check_user.outputs.stdout, 'community')
+        uses: andymckay/labeler@e6c4322d0397f3240f0e7e30a33b5c5df2d39e90
+        with:
+          add-labels: "community"
+          repo-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/label_pr.yml

@@ -0,0 +1,40 @@
+name: Label PR
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - synchronize
+
+jobs:
+  community:
+    runs-on: ubuntu-latest
+    name: Label PR - Community
+    steps:
+      - uses: actions/checkout@v2
+      - uses: actions/setup-python@v4
+      - name: Install python requests
+        run: pip install requests
+      - name: Check if user is a member of Ansible org
+        uses: jannekem/run-python-script-action@v1
+        id: check_user
+        with:
+          script: |
+            import requests
+            headers = {'Accept': 'application/vnd.github+json', 'Authorization': 'token ${{ secrets.GITHUB_TOKEN }}'}
+            response = requests.get('${{ fromJson(toJson(github.event.pull_request.user.url)) }}/orgs?per_page=100', headers=headers)
+            is_member = False
+            for org in response.json():
+              if org['login'] == 'ansible':
+                is_member = True
+            if is_member:
+                print("User is member")
+            else:
+                print("User is community")
+      - name: Add community label if not a member
+        if: contains(steps.check_user.outputs.stdout, 'community')
+        uses: andymckay/labeler@e6c4322d0397f3240f0e7e30a33b5c5df2d39e90
+        with:
+          add-labels: "community"
+          repo-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pr_body_check.yml

@@ -0,0 +1,37 @@
+---
+name: PR Check
+env:
+  BRANCH: ${{ github.base_ref || 'devel' }}
+on:
+  pull_request:
+    types: [opened, edited, reopened, synchronize]
+jobs:
+  pr-check:
+    name: Scan PR description for semantic versioning keywords
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+    steps:
+      - name: Check for each of the lines
+        env:
+          PR_BODY: ${{ github.event.pull_request.body }}
+        run: |
+          echo "$PR_BODY" | grep "Bug, Docs Fix or other nominal change" > Z
+          echo "$PR_BODY" | grep "New or Enhanced Feature" > Y
+          echo "$PR_BODY" | grep "Breaking Change" > X
+          exit 0
+        # We exit 0 and set the shell to prevent the returns from the greps from failing this step
+        # See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
+        shell: bash {0}
+
+      - name: Check for exactly one item
+        run: |
+          if [ $(cat X Y Z | wc -l) != 1 ] ; then
+            echo "The PR body must contain exactly one of [ 'Bug, Docs Fix or other nominal change', 'New or Enhanced Feature', 'Breaking Change' ]"
+            echo "We counted $(cat X Y Z | wc -l)"
+            echo "See the default PR body for examples"
+            exit 255;
+          else
+            exit 0;
+          fi

.github/workflows/promote.yaml

@@ -8,7 +8,14 @@ jobs:
   promote:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
+        with:
+          depth: 0
+
+      - uses: actions/checkout@v3
+        with:
+          ref: gh-pages
+          path: gh-pages
 
       - name: Log in to GHCR
         run: |
@@ -26,11 +33,6 @@ jobs:
           docker push quay.io/${{ github.repository }}:${{ github.event.release.tag_name }}
           docker push quay.io/${{ github.repository }}:latest
 
-      - name: Configure git
-        run: |
-          git config user.name "$GITHUB_ACTOR"
-          git config user.email "$GITHUB_ACTOR@users.noreply.github.com"
-
       - name: Release Helm chart
         run: |
           ansible-playbook ansible/helm-release.yml -v \
@@ -38,3 +40,4 @@ jobs:
             -e chart_owner=${{ github.repository_owner }} \
             -e tag=${{ github.event.release.tag_name }} \
             -e gh_token=${{ secrets.GITHUB_TOKEN }}
+            -e gh_user=${{ github.actor }}

.github/workflows/triage_new.yml

@@ -1,22 +0,0 @@
----
-name: Triage
-
-on:
-  issues:
-    types:
-      - opened
-
-jobs:
-  triage:
-    runs-on: ubuntu-latest
-    name: Label
-
-    steps:
-      - name: Label issues
-        uses: github/issue-labeler@v2.4.1
-        with:
-          repo-token: "${{ secrets.GITHUB_TOKEN }}"
-          not-before: 2021-12-07T07:00:00Z
-          configuration-path: .github/issue_labeler.yml
-          enable-versioned-regex: 0
-        if: github.event_name == 'issues'

.gitignore

@@ -1,4 +1,5 @@
 *~
+gh-pages/
 .cache/
 /bin
 /bundle
@@ -6,3 +7,5 @@
 /bundle.Dockerfile
 /charts
 /.cr-release-packages
+.vscode/
+__pycache__

.helm/starter/README.md

@@ -0,0 +1,67 @@
+# AWX Operator Helm Chart
+
+This chart installs the AWX Operator resources configured in [this](https://github.com/ansible/awx-operator) repository.
+
+## Getting Started
+To configure your AWX resource using this chart, create your own `yaml` values file. The name is up to personal preference since it will explicitly be passed into the helm chart. Helm will merge whatever values you specify in your file with the default `values.yaml`, overriding any settings you've changed while allowing you to fall back on defaults. Because of this functionality, `values.yaml` should not be edited directly.
+
+In your values config, enable `AWX.enabled` and add `AWX.spec` values based on the awx operator's [documentation](https://github.com/ansible/awx-operator/blob/devel/README.md). Consult the docs below for additional functionality.
+
+### Installing
+The operator's [helm install](https://github.com/ansible/awx-operator/blob/devel/README.md#helm-install-on-existing-cluster) guide provides key installation instructions.
+
+Example:
+```
+helm install my-awx-operator awx-operator/awx-operator -n awx --create-namespace -f myvalues.yaml
+```
+
+Argument breakdown:
+* `-f` passes in the file with your custom values
+* `-n` sets the namespace to be installed in
+  * This value is accessed by `{{ $.Release.Namespace }}` in the templates
+  * Acts as the default namespace for all unspecified resources
+* `--create-namespace` specifies that helm should create the namespace before installing
+
+To update an existing installation, use `helm upgrade` instead of `install`. The rest of the syntax remains the same.
+
+## Configuration
+The goal of adding helm configurations is to abstract out and simplify the creation of multi-resource configs. The `AWX.spec` field maps directly to the spec configs of the `AWX` resource that the operator provides, which are detailed in the [main README](https://github.com/ansible/awx-operator/blob/devel/README.md). Other sub-config can be added with the goal of simplifying more involved setups that require additional resources to be specified.
+
+These sub-headers aim to be a more intuitive entrypoint into customizing your deployment, and are easier to manage in the long-term. By design, the helm templates will defer to the manually defined specs to avoid configuration conflicts. For example, if `AWX.spec.postgres_configuration_secret` is being used, the `AWX.postgres` settings will not be applied, even if enabled.
+
+### External Postgres
+The `AWX.postgres` section simplifies the creation of the external postgres secret. If enabled, the configs provided will automatically be placed in a `postgres-config` secret and linked to the `AWX` resource. For proper secret management, the `AWX.postgres.password` value, and any other sensitive values, can be passed in at the command line rather than specified in code. Use the `--set` argument with `helm install`. Supplying the password this way is not recommended for production use, but may be helpful for initial PoC.
+
+
+## Values Summary
+
+### AWX
+| Value | Description | Default |
+|---|---|---|
+| `AWX.enabled` | Enable this AWX resource configuration | `false` |
+| `AWX.name` | The name of the AWX resource and default prefix for other resources | `"awx"` |
+| `AWX.spec` | specs to directly configure the AWX resource | `{}` |
+| `AWX.postgres` | configurations for the external postgres secret | - |
+
+
+# Contributing
+
+## Adding abstracted sections
+Where possible, defer to `AWX.spec` configs before applying the abstracted configs to avoid collision. This can be facilitated by the `(hasKey .spec what_i_will_abstract)` check.
+
+## Building and Testing
+This chart is built using the Makefile in the [awx-operator repo](https://github.com/ansible/awx-operator). Clone the repo and run `make helm-chart`. This will create the awx-operator chart in the `charts/awx-operator` directory. In this process, the contents of the `.helm/starter` directory will be added to the chart.
+
+## Future Goals
+All values under the `AWX` header are focused on configurations that use the operator. Configurations that relate to the Operator itself could be placed under an `Operator` heading, but that may add a layer of complication over current development.
+
+
+# Chart Publishing
+
+The chart is currently hosted on the gh-pages branch of the repo. During the release pipeline, the `index.yaml` stored in that branch is generated with helm chart entries from all valid tags. We are currently unable to use the `chart-releaser` pipeline due to the fact that the complete helm chart is not committed to the repo and is instead built during the release process. Therefore, the cr action is unable to compare against previous versions.
+
+Instead of CR, we use `helm repo index` to generate an index from all locally pulled chart versions. Since we build from scratch every time, the timestamps of all entries will be updated. This could be improved by using yq or something similar to detect which tags are already in the index.yaml file, and only merge in tags that are not present.
+
+Not using CR could be addressed in the future by keeping the chart built as a part of releases, as long as CR compares the chart to previous release packages rather than previous commits. If the latter is the case, then we would not have the necessary history for comparison.
+
+

.helm/starter/templates/_helpers.tpl

@@ -0,0 +1,6 @@
+{{/*
+Generate the name of the postgres secret, expects AWX context passed in
+*/}}
+{{- define "postgres.secretName" -}}
+{{ default (printf "%s-postgres-configuration" .Values.AWX.name) .Values.AWX.postgres.secretName }}
+{{- end }}

.helm/starter/templates/awx-deploy.yaml

@@ -0,0 +1,24 @@
+{{- if $.Values.AWX.enabled }}
+{{- with .Values.AWX }}
+apiVersion: awx.ansible.com/v1beta1
+kind: AWX
+metadata:
+  name: {{ .name }}
+  namespace: {{ $.Release.Namespace }}
+spec:
+{{- /* Include raw map from the values file spec */}}
+{{ .spec | toYaml | indent 2 }}
+{{- /* Provide security context defaults */}}
+  {{- if not (hasKey .spec "security_context_settings") }}
+  security_context_settings:
+    runAsGroup: 0
+    runAsUser: 0
+    fsGroup: 0
+    fsGroupChangePolicy: OnRootMismatch
+  {{- end }}
+{{- /* Postgres configs if enabled and not already present */}}
+  {{- if and .postgres.enabled (not (hasKey .spec "postgres_configuration_secret")) }}
+  postgres_configuration_secret: {{ include "postgres.secretName" $ }}
+  {{- end }}
+{{- end }}
+{{- end }}

.helm/starter/templates/postgres-config.yaml

@@ -0,0 +1,18 @@
+{{- if and $.Values.AWX.enabled $.Values.AWX.postgres.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "postgres.secretName" . }}
+  namespace: {{ $.Release.Namespace }}
+{{- with $.Values.AWX.postgres }}
+stringData:
+  host: {{ .host }}
+  port: {{ .port | quote }}
+  database: {{ .dbName }}
+  username: {{ .username }}
+  password: {{ .password }}
+  sslmode: {{ .sslmode }}
+  type: {{ .type }}
+type: Opaque
+{{- end }}
+{{- end }}

.helm/starter/values.yaml

@@ -0,0 +1,19 @@
+AWX: 
+  # enable use of awx-deploy template
+  enabled: false
+  name: awx
+  spec:
+    admin_user: admin
+
+  # configurations for external postgres instance
+  postgres:
+    enabled: false
+    host: Unset
+    port: 5678
+    dbName: Unset
+    username: admin
+    # for secret management, pass in the password independently of this file
+    # at the command line, use --set AWX.postgres.password
+    password: Unset
+    sslmode: prefer
+    type: unmanaged

.yamllint

@@ -6,8 +6,14 @@ ignore: |
   kustomization.yaml
   awx-operator.clusterserviceversion.yaml
   bundle
+  .helm/starter
 
 rules:
   truthy: disable
   line-length:
     max: 170
+  document-start: disable
+  comments-indentation: disable
+  indentation:
+    level: warning
+    indent-sequences: consistent

Dockerfile

@@ -1,4 +1,10 @@
-FROM quay.io/operator-framework/ansible-operator:v1.12.0
+FROM quay.io/operator-framework/ansible-operator:v1.26.0
+
+USER 0
+
+RUN dnf install -y openssl
+
+USER 1001
 
 ARG DEFAULT_AWX_VERSION
 ARG OPERATOR_VERSION
@@ -12,3 +18,8 @@ RUN ansible-galaxy collection install -r ${HOME}/requirements.yml \
 COPY watches.yaml ${HOME}/watches.yaml
 COPY roles/ ${HOME}/roles/
 COPY playbooks/ ${HOME}/playbooks/
+
+ENTRYPOINT ["/tini", "--", "/usr/local/bin/ansible-operator", "run", \
+    "--watches-file=./watches.yaml", \
+    "--reconcile-period=0s" \
+    ]

Makefile

@@ -44,6 +44,17 @@ IMAGE_TAG_BASE ?= quay.io/ansible/awx-operator
 # You can use it as an arg. (E.g make bundle-build BUNDLE_IMG=<some-registry>/<project-name-bundle>:<tag>)
 BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION)
 
+# BUNDLE_GEN_FLAGS are the flags passed to the operator-sdk generate bundle command
+BUNDLE_GEN_FLAGS ?= -q --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
+
+# USE_IMAGE_DIGESTS defines if images are resolved via tags or digests
+# You can enable this value if you would like to use SHA Based Digests
+# To enable set flag to true
+USE_IMAGE_DIGESTS ?= false
+ifeq ($(USE_IMAGE_DIGESTS), true)
+       BUNDLE_GEN_FLAGS += --use-image-digests
+endif
+
 # Image URL to use all building/pushing image targets
 IMG ?= $(IMAGE_TAG_BASE):$(VERSION)
 NAMESPACE ?= awx
@@ -56,6 +67,7 @@ CHART_REPO ?= awx-operator
 CHART_BRANCH ?= gh-pages
 CHART_INDEX ?= index.yaml
 
+.PHONY: all
 all: docker-build
 
 ##@ General
@@ -71,38 +83,47 @@ all: docker-build
 # More info on the awk command:
 # http://linuxcommand.org/lc3_adv_awk.php
 
+.PHONY: help
 help: ## Display this help.
 	@awk 'BEGIN {FS = ":.*##"; printf "\nUsage:\n  make \033[36m<target>\033[0m\n"} /^[a-zA-Z_0-9-]+:.*?##/ { printf "  \033[36m%-15s\033[0m %s\n", $$1, $$2 } /^##@/ { printf "\n\033[1m%s\033[0m\n", substr($$0, 5) } ' $(MAKEFILE_LIST)
 
 ##@ Build
 
+.PHONY: run
 run: ansible-operator ## Run against the configured Kubernetes cluster in ~/.kube/config
 	ANSIBLE_ROLES_PATH="$(ANSIBLE_ROLES_PATH):$(shell pwd)/roles" $(ANSIBLE_OPERATOR) run
 
+.PHONY: docker-build
 docker-build: ## Build docker image with the manager.
 	${CONTAINER_CMD} build $(BUILD_ARGS) -t ${IMG} .
 
+.PHONY: docker-push
 docker-push: ## Push docker image with the manager.
 	${CONTAINER_CMD} push ${IMG}
 
 ##@ Deployment
 
+.PHONY: install
 install: kustomize ## Install CRDs into the K8s cluster specified in ~/.kube/config.
 	$(KUSTOMIZE) build config/crd | kubectl apply -f -
 
+.PHONY: uninstall
 uninstall: kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config.
 	$(KUSTOMIZE) build config/crd | kubectl delete -f -
 
+.PHONY: gen-resources
 gen-resources: kustomize ## Generate resources for controller and print to stdout
 	@cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
 	@cd config/default && $(KUSTOMIZE) edit set namespace ${NAMESPACE}
 	@$(KUSTOMIZE) build config/default
 
+.PHONY: deploy
 deploy: kustomize ## Deploy controller to the K8s cluster specified in ~/.kube/config.
 	@cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
 	@cd config/default && $(KUSTOMIZE) edit set namespace ${NAMESPACE}
 	@$(KUSTOMIZE) build config/default | kubectl apply -f -
 
+.PHONY: undeploy
 undeploy: ## Undeploy controller from the K8s cluster specified in ~/.kube/config.
 	@cd config/default && $(KUSTOMIZE) edit set namespace ${NAMESPACE}
 	$(KUSTOMIZE) build config/default | kubectl delete -f -
@@ -119,7 +140,7 @@ ifeq (,$(shell which kustomize 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(KUSTOMIZE)) ;\
-	curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.5.2/kustomize_v4.5.2_$(OS)_$(ARCHA).tar.gz | \
+	curl -sSLo - https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize/v4.5.7/kustomize_v4.5.7_$(OS)_$(ARCHA).tar.gz | \
 	tar xzf - -C bin/ ;\
 	}
 else
@@ -135,7 +156,7 @@ ifeq (,$(shell which ansible-operator 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(ANSIBLE_OPERATOR)) ;\
-	curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.12.0/ansible-operator_$(OS)_$(ARCHA) ;\
+	curl -sSLo $(ANSIBLE_OPERATOR) https://github.com/operator-framework/operator-sdk/releases/download/v1.26.0/ansible-operator_$(OS)_$(ARCHA) ;\
 	chmod +x $(ANSIBLE_OPERATOR) ;\
 	}
 else
@@ -166,7 +187,7 @@ ifeq (,$(shell which opm 2>/dev/null))
 	@{ \
 	set -e ;\
 	mkdir -p $(dir $(OPM)) ;\
-	curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.15.1/$(OS)-$(ARCHA)-opm ;\
+	curl -sSLo $(OPM) https://github.com/operator-framework/operator-registry/releases/download/v1.26.0/$(OS)-$(ARCHA)-opm ;\
 	chmod +x $(OPM) ;\
 	}
 else
@@ -269,53 +290,108 @@ charts:
 	mkdir -p $@
 
 .PHONY: helm-chart
-helm-chart: kustomize helm kubectl-slice yq charts
-	@echo "== KUSTOMIZE (image and namespace) =="
-	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
-	cd config/default && $(KUSTOMIZE) edit set namespace ${NAMESPACE}
+helm-chart: helm-chart-generate
 
-	@echo "== HELM =="
+.PHONY: helm-chart-generate
+helm-chart-generate: kustomize helm kubectl-slice yq charts
+	@echo "== KUSTOMIZE: Set image and chart label =="
+	cd config/manager && $(KUSTOMIZE) edit set image controller=${IMG}
+	cd config/manager && $(KUSTOMIZE) edit set label helm.sh/chart:$(CHART_NAME)
+	cd config/default && $(KUSTOMIZE) edit set label helm.sh/chart:$(CHART_NAME)
+
+	@echo "== Gather Helm Chart Metadata =="
+	# remove the existing chart if it exists
+	rm -rf charts/$(CHART_NAME)
+	# create new chart metadata in Chart.yaml
 	cd charts && \
 		$(HELM) create awx-operator --starter $(shell pwd)/.helm/starter ;\
 		$(YQ) -i '.version = "$(VERSION)"' $(CHART_NAME)/Chart.yaml ;\
 		$(YQ) -i '.appVersion = "$(VERSION)" | .appVersion style="double"' $(CHART_NAME)/Chart.yaml ;\
 		$(YQ) -i '.description = "$(CHART_DESCRIPTION)"' $(CHART_NAME)/Chart.yaml ;\
 
+	@echo "Generated chart metadata:"
 	@cat charts/$(CHART_NAME)/Chart.yaml
 
-	@echo "== KUSTOMIZE (annotation) =="
-	cd config/manager && $(KUSTOMIZE) edit set annotation helm.sh/chart:$(CHART_NAME)-$(VERSION)
-	cd config/default && $(KUSTOMIZE) edit set annotation helm.sh/chart:$(CHART_NAME)-$(VERSION)
-
-	@echo "== SLICE =="
+	@echo "== KUSTOMIZE: Generate resources and slice into templates =="
+	# place in raw-files directory so they can be modified while they are valid yaml - as soon as they are in templates/,
+	# wild cards pick up the actual templates, which are not real yaml and can't have yq run on them.
 	$(KUSTOMIZE) build --load-restrictor LoadRestrictionsNone config/default | \
 		$(KUBECTL_SLICE) --input-file=- \
-			--output-dir=charts/$(CHART_NAME)/templates \
+			--output-dir=charts/$(CHART_NAME)/raw-files \
 			--sort-by-kind
-	@echo "Helm Chart $(VERSION)" > charts/$(CHART_NAME)/templates/NOTES.txt
+
+	@echo "== GIT: Reset kustomize configs =="
+	# reset kustomize configs following kustomize build
+	git checkout -f config/.
+
+	@echo "== Build Templates and CRDS =="
+	# Delete metadata.namespace, release namespace will be automatically inserted by helm
+	for file in charts/$(CHART_NAME)/raw-files/*; do\
+		$(YQ) -i 'del(.metadata.namespace)' $${file};\
+	done
+	# Correct namespace for rolebinding to be release namespace, this must be explicit
+	for file in charts/$(CHART_NAME)/raw-files/*rolebinding*; do\
+		$(YQ) -i '.subjects[0].namespace = "{{ .Release.Namespace }}"' $${file};\
+	done
+	# move all custom resource definitions to crds folder
+	mkdir charts/$(CHART_NAME)/crds
+	mv charts/$(CHART_NAME)/raw-files/customresourcedefinition*.yaml charts/$(CHART_NAME)/crds/.
+	# remove any namespace definitions
+	rm -f charts/$(CHART_NAME)/raw-files/namespace*.yaml
+	# move remaining resources to helm templates
+	mv charts/$(CHART_NAME)/raw-files/* charts/$(CHART_NAME)/templates/.
+	# remove the raw-files folder
+	rm -rf charts/$(CHART_NAME)/raw-files
+
+	# create and populate NOTES.txt
+	@echo "AWX Operator installed with Helm Chart version $(VERSION)" > charts/$(CHART_NAME)/templates/NOTES.txt
+
+	@echo "Helm chart successfully configured for $(CHART_NAME) version $(VERSION)"
 
 
 .PHONY: helm-package
-helm-package: cr helm-chart
-	@echo "== CHART RELEASER (package) =="
-	$(CR) package ./charts/awx-operator
+helm-package: helm-chart
+	@echo "== Package Current Chart Version =="
+	mkdir -p .cr-release-packages
+	# package the chart and put it in .cr-release-packages dir
+	$(HELM) package ./charts/awx-operator -d .cr-release-packages
 
-# The actual release happens in ansible/helm-release.yml
-# until https://github.com/helm/chart-releaser/issues/122 happens
+# List all tags oldest to newest.
+TAGS := $(shell git ls-remote --tags --sort=version:refname --refs -q | cut -d/ -f3)
+
+# The actual release happens in ansible/helm-release.yml, which calls this targer
+# until https://github.com/helm/chart-releaser/issues/122 happens, chart-releaser is not ideal for a chart
+# that is contained within a larger repo, where a tag may not require a new chart version
 .PHONY: helm-index
-helm-index: cr helm-chart
-	@echo "== CHART RELEASER (httpsorigin) =="
-	git remote add httpsorigin "https://github.com/$(CHART_OWNER)/$(CHART_REPO).git"
-	git fetch httpsorigin
+helm-index:
+	# when running in CI this gh-pages are already checked out with github action to 'gh-pages' directory
+	# TODO: test if gh-pages directory exists and if not exist
 
-	@echo "== CHART RELEASER (index) =="
-	$(CR) index \
-		--owner "$(CHART_OWNER)" \
-		--git-repo "$(CHART_REPO)" \
-		--token "$(CR_TOKEN)" \
-		--pages-branch "$(CHART_BRANCH)" \
-		--index-path "./charts/$(CHART_INDEX)" \
-		--charts-repo "https://$(CHART_OWNER).github.io/$(CHART_REPO)/$(CHART_INDEX)" \
-		--remote httpsorigin \
-		--release-name-template="{{ .Version }}" \
-		--push
+	@echo "== GENERATE INDEX FILE =="
+	# This step to workaround issues with old releases being dropped.
+	# Until https://github.com/helm/chart-releaser/issues/133 happens
+	@echo "== CHART FETCH previous releases =="
+	# Download all old releases
+	mkdir -p .cr-release-packages
+
+	for tag in $(TAGS); do\
+		dl_url="https://github.com/$(CHART_OWNER)/$(CHART_REPO)/releases/download/$${tag}/$(CHART_REPO)-$${tag}.tgz";\
+		echo "Downloading $${tag} from $${dl_url}";\
+		curl -RLOs -z "$(CHART_REPO)-$${tag}.tgz" --fail $${dl_url};\
+		result=$$?;\
+		if [ $${result} -eq 0 ]; then\
+			echo "Downloaded $${dl_url}";\
+			mkdir -p .cr-release-packages/$${tag};\
+			mv ./$(CHART_REPO)-$${tag}.tgz .cr-release-packages/$${tag};\
+		else\
+			echo "Skipping release $${tag}; No helm chart present";\
+			rm -rf "$(CHART_REPO)-$${tag}.tgz";\
+		fi;\
+	done;\
+
+	# generate the index file in the root of the gh-pages branch
+	# --merge will leave any values in index.yaml that don't get generated by this command, but
+	# it is likely that all values are overridden
+	$(HELM) repo index .cr-release-packages --url https://github.com/$(CHART_OWNER)/$(CHART_REPO)/releases/download/ --merge gh-pages/index.yaml
+
+	mv .cr-release-packages/index.yaml gh-pages/index.yaml

PROJECT

@@ -13,4 +13,18 @@ resources:
   group: awx
   kind: AWX
   version: v1beta1
+- api:
+    crdVersion: v1
+    namespaced: true
+  domain: ansible.com
+  group: awx
+  kind: AWXBackup
+  version: v1beta1
+- api:
+    crdVersion: v1
+    namespaced: true
+  domain: ansible.com
+  group: awx
+  kind: AWXRestore
+  version: v1beta1
 version: "3"

README.md

@@ -1,6 +1,10 @@
 # AWX Operator
 
-[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) [![Build Status](https://github.com/ansible/awx-operator/workflows/CI/badge.svg?event=push)](https://github.com/ansible/awx-operator/actions)
+[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)
+[![Build Status](https://github.com/ansible/awx-operator/workflows/CI/badge.svg?event=push)](https://github.com/ansible/awx-operator/actions)
+[![Code of Conduct](https://img.shields.io/badge/code%20of%20conduct-Ansible-yellow.svg)](https://docs.ansible.com/ansible/latest/community/code_of_conduct.html) 
+[![AWX Mailing List](https://img.shields.io/badge/mailing%20list-AWX-orange.svg)](https://groups.google.com/g/awx-project)
+[![IRC Chat - #ansible-awx](https://img.shields.io/badge/IRC-%23ansible--awx-blueviolet.svg)](https://libera.chat)
 
 An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built with [Operator SDK](https://github.com/operator-framework/operator-sdk) and Ansible.
 
@@ -40,16 +44,27 @@ An [Ansible AWX](https://github.com/ansible/awx) operator for Kubernetes built w
          * [CSRF Cookie Secure Setting](#csrf-cookie-secure-setting)
          * [Session Cookie Secure Setting](#session-cookie-secure-setting)
          * [Extra Settings](#extra-settings)
+         * [Configure no_log](#no-log)
+         * [Auto Upgrade](#auto-upgrade)
+            * [Upgrade of instances without auto upgrade](#upgrade-of-instances-without-auto-upgrade)
          * [Service Account](#service-account)
+         * [Labeling operator managed objects](#labeling-operator-managed-objects)
+         * [Pods termination grace period](#pods-termination-grace-period)
       * [Uninstall](#uninstall)
       * [Upgrading](#upgrading)
+         * [Backup](#backup)
          * [v0.14.0](#v0140)
             * [Cluster-scope to Namespace-scope considerations](#cluster-scope-to-namespace-scope-considerations)
             * [Project is now based on v1.x of the operator-sdk project](#project-is-now-based-on-v1x-of-the-operator-sdk-project)
             * [Steps to upgrade](#steps-to-upgrade)
+      * [Disable IPV6](#disable-ipv6)
+      * [Add Execution Nodes](#adding-execution-nodes)
+          * [Custom Receptor CA](#custom-receptor-ca)
    * [Contributing](#contributing)
    * [Release Process](#release-process)
    * [Author](#author)
+   * [Code of Conduct](#code-of-conduct)
+   * [Get Involved](#get-involved)
 
 <!-- Created by https://github.com/ekalinin/github-markdown-toc -->
 
@@ -187,6 +202,22 @@ spec:
   service_type: nodeport
 ```
 
+> It may make sense to create and specify your own secret key for your deployment so that if the k8s secret gets deleted, it can be re-created if needed.  If it is not provided, one will be auto-generated, but cannot be recovered if lost. Read more [here](#secret-key-configuration).
+
+If you are on Openshift, you can take advantage of Routes by specifying the following your spec. This will automatically create a Route for you with a custom hostname. This can be found on the Route section of the Openshift Console.
+
+```yaml
+---
+apiVersion: awx.ansible.com/v1beta1
+kind: AWX
+metadata:
+  name: awx-demo
+spec:
+  service_type: clusterip
+  ingress_type: Route
+```
+
+
 Make sure to add this new file to the list of "resources" in your `kustomization.yaml` file:
 
 ```yaml
@@ -227,25 +258,27 @@ awx-demo-service    NodePort    10.109.40.38   <none>        80:31006/TCP   3m56
 Once deployed, the AWX instance will be accessible by running:
 
 ```
-$ minikube service awx-demo-service --url -n $NAMESPACE
+$ minikube service -n awx awx-demo-service --url
 ```
 
 By default, the admin user is `admin` and the password is available in the `<resourcename>-admin-password` secret. To retrieve the admin password, run:
 
 ```
-$ kubectl get secret awx-demo-admin-password -o jsonpath="{.data.password}" | base64 --decode
+$ kubectl get secret awx-demo-admin-password -o jsonpath="{.data.password}" | base64 --decode ; echo
 yDL2Cx5Za94g9MvBP6B73nzVLlmfgPjR
 ```
 
 You just completed the most basic install of an AWX instance via this operator. Congratulations!!!
 
-For an example using the Nginx Controller in Minukube, don't miss our [demo video](https://asciinema.org/a/416946).
+For an example using the Nginx Ingress Controller in Minikube, don't miss our [demo video](https://asciinema.org/a/416946).
 
 
 ### Helm Install on existing cluster
 
 For those that wish to use [Helm](https://helm.sh/) to install the awx-operator to an existing K8s cluster:
 
+The helm chart is generated from the `helm-chart` Makefile section using the starter files in `.helm/starter`. Consult [the documentation](.helm/starter/README.md) on how to customize the AWX resource with your own values.
+
 ```bash
 $ helm repo add awx-operator https://ansible.github.io/awx-operator/
 "awx-operator" has been added to your repositories
@@ -259,7 +292,7 @@ $ helm search repo awx-operator
 NAME                            CHART VERSION   APP VERSION     DESCRIPTION
 awx-operator/awx-operator       0.17.1          0.17.1          A Helm chart for the AWX Operator
 
-$ helm install my-awx-operator awx-operator/awx-operator
+$ helm install -n awx --create-namespace my-awx-operator awx-operator/awx-operator
 NAME: my-awx-operator
 LAST DEPLOYED: Thu Feb 17 22:09:05 2022
 NAMESPACE: default
@@ -285,7 +318,7 @@ There are three variables that are customizable for the admin user account creat
 
 If `admin_password_secret` is not provided, the operator will look for a secret named `<resourcename>-admin-password` for the admin password. If it is not present, the operator will generate a password and create a Secret from it named `<resourcename>-admin-password`.
 
-To retrieve the admin password, run `kubectl get secret <resourcename>-admin-password -o jsonpath="{.data.password}" | base64 --decode`
+To retrieve the admin password, run `kubectl get secret <resourcename>-admin-password -o jsonpath="{.data.password}" | base64 --decode ; echo`
 
 The secret that is expected to be passed should be formatted as follow:
 
@@ -301,6 +334,41 @@ stringData:
 ```
 
 
+### Secret Key Configuration
+
+This key is used to encrypt sensitive data in the database.
+
+| Name              | Description                                           | Default          |
+| ----------------- | ----------------------------------------------------- | ---------------- |
+| secret_key_secret | Secret that contains the symmetric key for encryption | Generated     |
+
+
+> :warning: **secret_key_secret must be a Kubernetes secret and not your text clear secret value**.
+
+If `secret_key_secret` is not provided, the operator will look for a secret named `<resourcename>-secret-key` for the secret key. If it is not present, the operator will generate a password and create a Secret from it named `<resourcename>-secret-key`. It is important to not delete this secret as it will be needed for upgrades and if the pods get scaled down at any point. If you are using a GitOps flow, you will want to pass a secret key secret.
+
+The secret should be formatted as follow:
+
+```yaml
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: custom-awx-secret-key
+  namespace: <target namespace>
+stringData:
+  secret_key: supersecuresecretkey
+```
+
+Then specify the secret name on the AWX spec:
+
+```yaml
+---
+spec:
+  ...
+  secret_key_secret: custom-awx-secret-key
+```
+
 ### Network and TLS Configuration
 
 #### Service Type
@@ -391,9 +459,11 @@ The following variables are customizable when `ingress_type=ingress`. The `ingre
 | ------------------- | ---------------------------------------- | --------------------------- |
 | ingress_annotations | Ingress annotations                      | Empty string                |
 | ingress_tls_secret  | Secret that contains the TLS information | Empty string                |
+| ingress_class_name  | Define the ingress class name            | Cluster default             |
 | hostname            | Define the FQDN                          | {{ meta.name }}.example.com |
 | ingress_path        | Define the ingress path to the service   | /                           |
 | ingress_path_type   | Define the type of the path (for LBs)    | Prefix                      |
+| ingress_api_version | Define the Ingress resource apiVersion   | 'networking.k8s.io/v1'      |
 
 ```yaml
 ---
@@ -414,6 +484,7 @@ The following variables are customizable when `ingress_type=route`
 | route_host                      | Common name the route answers for             | `<instance-name>-<namespace>-<routerCanonicalHostname>` |
 | route_tls_termination_mechanism | TLS Termination mechanism (Edge, Passthrough) | Edge                                                    |
 | route_tls_secret                | Secret that contains the TLS information      | Empty string                                            |
+| route_api_version               | Define the Route resource apiVersion          | 'route.openshift.io/v1'                                 |
 
 ```yaml
 ---
@@ -427,6 +498,12 @@ spec:
 
 ### Database Configuration
 
+#### Postgres Version
+
+The default Postgres version for the version of AWX bundled with the latest version of the awx-operator is Postgres 13. You can find this default for a given version by at the default value for [_postgres_image_version](./roles/installer/defaults/main.yml#L138).
+
+We only have coverage for the default version of Postgres. Newer versions of Postgres (14+) will likely work, but should only be configured as an external database. If your database is managed by the awx-operator (default if you don't specify a `postgres_configuration_secret`), then you should not override the default version as this may cause issues when awx-operator tries to upgrade your postgresql pod.
+
 #### External PostgreSQL Service
 
 To configure AWX to use an external database, the Custom Resource needs to know about the connection details. To do this, create a k8s secret with those connection details and specify the name of the secret as `postgres_configuration_secret` at the CR spec level.
@@ -452,7 +529,7 @@ stringData:
 type: Opaque
 ```
 
-> Please ensure that the value for the variable `password` should _not_ contain single or double quotes (`'`, `"`) or backslashes (`\`) to avoid any issues during deployment, backup or restoration.
+> Please ensure that the value for the variable `password` should _not_ contain single or double quotes (`'`, `"`) or backslashes (`\`) to avoid any issues during deployment, [backup](https://github.com/ansible/awx-operator/tree/devel/roles/backup) or [restoration](https://github.com/ansible/awx-operator/tree/devel/roles/restore).
 
 > It is possible to set a specific username, password, port, or database, but still have the database managed by the operator. In this case, when creating the postgres-configuration secret, the `type: managed` field should be added.
 
@@ -498,7 +575,7 @@ spec:
       cpu: 500m
       memory: 2Gi
     limits:
-      cpu: 1
+      cpu: '1'
       memory: 4Gi
   postgres_storage_requirements:
     requests:
@@ -644,18 +721,20 @@ You can constrain the AWX pods created by the operator to run on a certain subse
 the AWX pods to run only on the nodes that match all the specified key/value pairs. `tolerations` and `postgres_tolerations` allow the AWX
 pods to be scheduled onto nodes with matching taints.
 The ability to specify topologySpreadConstraints is also allowed through `topology_spread_constraints`
+If you want to use affinity rules for your AWX pod you can use the `affinity` option.
 
 
-| Name                        | Description                         | Default |
-| --------------------------- | ----------------------------------- | ------- |
-| postgres_image              | Path of the image to pull           | 12      |
-| postgres_image_version      | Image version to pull               | 12      |
-| node_selector               | AWX pods' nodeSelector              | ''      |
-| topology_spread_constraints | AWX pods' topologySpreadConstraints | ''      |
-| tolerations                 | AWX pods' tolerations               | ''      |
-| annotations                 | AWX pods' annotations               | ''      |
-| postgres_selector           | Postgres pods' nodeSelector         | ''      |
-| postgres_tolerations        | Postgres pods' tolerations          | ''      |
+| Name                        | Description                         | Default  |
+| --------------------------- | ----------------------------------- | -------  |
+| postgres_image              | Path of the image to pull           | postgres |
+| postgres_image_version      | Image version to pull               | 13       |
+| node_selector               | AWX pods' nodeSelector              | ''       |
+| topology_spread_constraints | AWX pods' topologySpreadConstraints | ''       |
+| affinity                    | AWX pods' affinity rules            | ''       |
+| tolerations                 | AWX pods' tolerations               | ''       |
+| annotations                 | AWX pods' annotations               | ''       |
+| postgres_selector           | Postgres pods' nodeSelector         | ''       |
+| postgres_tolerations        | Postgres pods' tolerations          | ''       |
 
 Example of customization could be:
 
@@ -688,6 +767,28 @@ spec:
       operator: "Equal"
       value: "AWX"
       effect: "NoSchedule"
+  affinity:
+    nodeAffinity:
+      preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 1
+        preference:
+          matchExpressions:
+          - key: another-node-label-key
+            operator: In
+            values:
+            - another-node-label-value
+            - another-node-label-value
+    podAntiAffinity:
+      preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 100
+        podAffinityTerm:
+          labelSelector:
+            matchExpressions:
+            - key: security
+              operator: In
+              values:
+              - S2
+          topologyKey: topology.kubernetes.io/zone
 ```
 
 #### Trusting a Custom Certificate Authority
@@ -715,7 +816,22 @@ spec:
   bundle_cacert_secret: <resourcename>-custom-certs
 ```
 
-To create the secrets, you can use the commands below:
+Create the secret with `kustomization.yaml` file:
+
+```yaml
+....
+
+secretGenerator:
+  - name: <resourcename>-custom-certs
+    files:
+      - bundle-ca.crt=<path+filename>
+    options:
+      disableNameSuffixHash: true
+      
+...
+```
+
+Create the secret with CLI:
 
 * Certificate Authority secret
 
@@ -734,7 +850,9 @@ To create the secrets, you can use the commands below:
 
 #### Enabling LDAP Integration at AWX bootstrap
 
-A sample of extra settings can be found as below:
+A sample of extra settings can be found as below. All possible options can be found here: https://django-auth-ldap.readthedocs.io/en/latest/reference.html#settings
+
+> **NOTE:** These values are inserted into a Python file, so pay close attention to which values need quotes and which do not.
 
 ```yaml
     - setting: AUTH_LDAP_SERVER_URI
@@ -751,6 +869,9 @@ A sample of extra settings can be found as below:
     - setting: AUTH_LDAP_GROUP_SEARCH
       value: 'LDAPSearch("OU=Groups,DC=abc,DC=com",ldap.SCOPE_SUBTREE,"(objectClass=group)",)'
 
+    - setting: AUTH_LDAP_GROUP_TYPE
+      value: 'GroupOfNamesType(name_attr="cn")'
+
     - setting: AUTH_LDAP_USER_ATTR_MAP
       value: '{"first_name": "givenName","last_name": "sn","email": "mail"}'
 
@@ -892,11 +1013,22 @@ Example spec file for volumes and volume mounts
 
 > :warning: **Volume and VolumeMount names cannot contain underscores(_)**
 
+##### Custom Nginx Configuration
+
+Using the [extra_volumes feature](#custom-volume-and-volume-mount-options), it is possible to extend the nginx.conf.
+
+1. Create a ConfigMap with the extra settings you want to include in the nginx.conf
+2. Create an extra_volumes entry in the AWX spec for this ConfigMap
+3. Create an web_extra_volume_mounts entry in the AWX spec to mount this volume
+
+The AWX nginx config automatically includes /etc/nginx/conf.d/*.conf if present.
+
+
 #### Default execution environments from private registries
 
 In order to register default execution environments from private registries, the Custom Resource needs to know about the pull credentials. Those credentials should be stored as a secret and either specified as `ee_pull_credentials_secret` at the CR spec level, or simply be present on the namespace under the name `<resourcename>-ee-pull-credentials` . Instance initialization will register a `Container registry` type credential on the deployed instance and assign it to the registered default execution environments.
 
-The secret should be formated as follows:
+The secret should be formatted as follows:
 
 ```yaml
 ---
@@ -920,7 +1052,7 @@ You can create `image_pull_secret`
 ```
 kubectl create secret <resoucename>-cp-pull-credentials regcred --docker-server=<your-registry-server> --docker-username=<your-name> --docker-password=<your-pword> --docker-email=<your-email>
 ```
-If you need more control (for example, to set a namespace or a label on the new secret) then you can customise the Secret before storing it
+If you need more control (for example, to set a namespace or a label on the new secret) then you can customize the Secret before storing it
 
 Example spec file extra-config
 
@@ -1011,8 +1143,65 @@ Example configuration of `extra_settings` parameter
 
       - setting: AUTH_LDAP_BIND_DN
         value: "cn=admin,dc=example,dc=com"
+
+      - setting: LOG_AGGREGATOR_LEVEL
+        value: "'DEBUG'"
 ```
 
+Note for some settings, such as `LOG_AGGREGATOR_LEVEL`, the value may need double quotes.
+
+
+#### No Log
+Configure no_log for tasks with no_log
+
+| Name   | Description          | Default |
+| ------ | -------------------- | ------- |
+| no_log | No log configuration | 'true'  |
+
+Example configuration of `no_log` parameter
+
+```yaml
+  spec:
+    no_log: true
+```
+
+#### Auto upgrade
+With this parameter you can influence the behavior during an operator upgrade.  
+If set to `true`, the operator will upgrade the specific instance directly.  
+When the value is set to `false`, and we have a running deployment, the operator will not update the AWX instance.  
+This can be useful when you have multiple AWX instances which you want to upgrade step by step instead of all at once.  
+
+
+| Name         | Description                        | Default |
+| -------------| ---------------------------------- | ------- |
+| auto_upgrade | Automatic upgrade of AWX instances | true    |
+
+Example configuration of `auto_upgrade` parameter
+
+```yaml
+  spec:
+    auto_upgrade: true
+```
+
+##### Upgrade of instances without auto upgrade
+
+There are two ways to upgrade instances which are marked with the 'auto_upgrade: false' flag.  
+
+Changing flags:
+
+- change the auto_upgrade flag on your AWX object to true  
+- wait until the upgrade process of that instance is finished
+- change the auto_upgrade flag on your AWX object back to false  
+
+Delete the deployment:
+
+- delete the deployment object of your AWX instance  
+```
+$ kubectl -n awx delete deployment <yourInstanceName> 
+```
+- wait until the instance gets redeployed  
+
+
 #### Service Account
 
 If you need to modify some `ServiceAccount` proprieties
@@ -1029,6 +1218,74 @@ Example configuration of environment variables
       eks.amazonaws.com/role-arn: arn:aws:iam::<ACCOUNT_ID>:role/<IAM_ROLE_NAME>
 ```
 
+#### Labeling operator managed objects
+
+In certain situations labeling of Kubernetes objects managed by the operator
+might be desired (e.g. for owner identification purposes). For that
+`additional_labels` parameter could be used
+
+| Name                        | Description                                                                              | Default |
+| --------------------------- | ---------------------------------------------------------------------------------------- | ------- |
+| additional_labels           | Additional labels defined on the resource, which should be propagated to child resources | []      |
+
+Example configuration where only `my/team` and `my/service` labels will be
+propagated to child objects (`Deployment`, `Secret`s, `ServiceAccount`, etc):
+
+```yaml
+apiVersion: awx.ansible.com/v1beta1
+kind: AWX
+metadata:
+  name: awx-demo
+  labels:
+    my/team: "foo"
+    my/service: "bar"
+    my/do-not-inherit: "yes"
+spec:
+  additional_labels:
+  - my/team
+  - my/service
+...
+```
+
+#### Pods termination grace period
+
+During deployment restarts or new rollouts, when old ReplicaSet Pods are being
+terminated, the corresponding jobs which are managed (executed or controlled)
+by old AWX Pods may end up in `Error` state as there is no mechanism to
+transfer them to the newly spawned AWX Pods. To work around the problem one
+could set `termination_grace_period_seconds` in AWX spec, which does the
+following:
+
+* It sets the corresponding
+  [`terminationGracePeriodSeconds`](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-termination)
+  Pod spec of the AWX Deployment to the value provided
+
+  > The grace period is the duration in seconds after the processes running in
+  > the pod are sent a termination signal and the time when the processes are
+  > forcibly halted with a kill signal
+
+* It adds a
+  [`PreStop`](https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#hook-handler-execution)
+  hook script, which will keep AWX Pods in terminating state until it finished,
+  up to `terminationGracePeriodSeconds`.
+
+  > This grace period applies to the total time it takes for both the PreStop
+  > hook to execute and for the Container to stop normally
+
+  While the hook script just waits until the corresponding AWX Pod (instance)
+  no longer has any managed jobs, in which case it finishes with success and
+  hands over the overall Pod termination process to normal AWX processes.
+
+One may want to set this value to the maximum duration they accept to wait for
+the affected Jobs to finish. Keeping in mind that such finishing jobs may
+increase Pods termination time in such situations as `kubectl rollout restart`,
+AWX upgrade by the operator, or Kubernetes [API-initiated
+evictions](https://kubernetes.io/docs/concepts/scheduling-eviction/api-eviction/).
+
+
+| Name                             | Description                                                     | Default |
+| -------------------------------- | --------------------------------------------------------------- | ------- |
+| termination_grace_period_seconds | Optional duration in seconds pods needs to terminate gracefully | not set |
 
 ### Uninstall ###
 
@@ -1041,12 +1298,38 @@ awx.awx.ansible.com "awx-demo" deleted
 
 Deleting an AWX instance will remove all related deployments and statefulsets, however, persistent volumes and secrets will remain. To enforce secrets also getting removed, you can use `garbage_collect_secrets: true`.
 
+**Note**: If you ever intend to recover an AWX from an existing database you will need a copy of the secrets in order to perform a successful recovery.
+
 ### Upgrading
 
 To upgrade AWX, it is recommended to upgrade the awx-operator to the version that maps to the desired version of AWX.  To find the version of AWX that will be installed by the awx-operator by default, check the version specified in the `image_version` variable in `roles/installer/defaults/main.yml` for that particular release.
 
 Apply the awx-operator.yml for that release to upgrade the operator, and in turn also upgrade your AWX deployment.
 
+#### Backup
+
+The first part of any upgrade should be a backup. Note, there are secrets in the pod which work in conjunction with the database. Having just a database backup without the required secrets will not be sufficient for recovering from an issue when upgrading to a new version. See the [backup role documentation](https://github.com/ansible/awx-operator/tree/devel/roles/backup) for information on how to backup your database and secrets.
+
+In the event you need to recover the backup see the [restore role documentation](https://github.com/ansible/awx-operator/tree/devel/roles/restore). *Before Restoring from a backup*, be sure to:
+* delete the old existing AWX CR
+* delete the persistent volume claim (PVC) for the database from the old deployment, which has a name like `postgres-13-<deployment-name>-postgres-13-0`
+
+**Note**: Do not delete the namespace/project, as that will delete the backup and the backup's PVC as well.
+
+
+#### PostgreSQL Upgrade Considerations
+
+If there is a PostgreSQL major version upgrade, after the data directory on the PVC is migrated to the new version, the old PVC is kept by default.
+This provides the ability to roll back if needed, but can take up extra storage space in your cluster unnecessarily. You can configure it to be deleted automatically
+after a successful upgrade by setting the following variable on the AWX spec. 
+
+
+```yaml
+  spec:
+    postgres_keep_pvc_after_upgrade: False
+```
+
+
 #### v0.14.0
 
 ##### Cluster-scope to Namespace-scope considerations
@@ -1073,6 +1356,52 @@ Then install the new AWX Operator by following the instructions in [Basic Instal
 
 Once the new AWX Operator is up and running, your AWX deployment will also be upgraded.
 
+### Disable IPV6
+Starting with AWX Operator release 0.24.0,[IPV6 was enabled in ngnix configuration](https://github.com/ansible/awx-operator/pull/950) which causes
+upgrades and installs to fail in environments where IPv6 is not allowed. Starting in 1.1.1 release, you can set the `ipv6_disabled` flag on the AWX
+spec. If you need to use an AWX operator version between 0.24.0 and 1.1.1 in an IPv6 disabled environment, it is suggested to enabled ipv6 on worker
+nodes.
+
+In order to disable ipv6 on ngnix configuration (awx-web container), add following to the AWX spec.
+
+The following variables are customizable 
+
+| Name          | Description            | Default |
+| ------------- | ---------------------- | ------- |
+| ipv6_disabled | Flag to disable ipv6   | false   |
+
+```yaml
+spec:
+  ipv6_disabled: true
+```
+
+### Adding Execution Nodes
+Starting with AWX Operator v0.30.0 and AWX v21.7.0, standalone execution nodes can be added to your deployments.
+See [AWX execution nodes docs](https://github.com/ansible/awx/blob/devel/docs/execution_nodes.md) for information about this feature.
+
+#### Custom Receptor CA
+The control nodes on the K8S cluster will communicate with execution nodes via mutual TLS TCP connections, running via Receptor.
+Execution nodes will verify incoming connections by ensuring the x509 certificate was issued by a trusted Certificate Authority (CA).
+
+A user may wish to provide their own CA for this validation. If no CA is provided, AWX Operator will automatically generate one using OpenSSL.
+
+Given custom `ca.crt` and `ca.key` stored locally, run the following,
+
+```bash
+kubectl create secret tls awx-demo-receptor-ca \
+   --cert=/path/to/ca.crt --key=/path/to/ca.key
+```
+
+The secret should be named `{AWX Custom Resource name}-receptor-ca`. In the above the AWX CR name is "awx-demo". Please replace "awx-demo" with your AWX Custom Resource name.
+
+If this secret is created after AWX is deployed, run the following to restart the deployment,
+
+```bash
+kubectl rollout restart deployment awx-demo
+```
+
+**Important Note**, changing the receptor CA will break connections to any existing execution nodes. These nodes will enter an `unavailable` state, and jobs will not be able to run on them. Users will need to download and re-run the install bundle for each execution node. This will replace the TLS certificate files with those signed by the new CA. The execution nodes should then appear in a `ready` state after a few minutes.
+
 ## Contributing
 
 Please visit [our contributing guidelines](https://github.com/ansible/awx-operator/blob/devel/CONTRIBUTING.md).
@@ -1080,7 +1409,7 @@ Please visit [our contributing guidelines](https://github.com/ansible/awx-operat
 
 ## Release Process
 
-The first step is to create a draft release. Typically this will happen in the [Stage Release](https://github.com/ansible/awx/blob/devel/.github/workflows/stage.yml) workflow for AWX and you dont need to do it as a separate step.
+The first step is to create a draft release. Typically this will happen in the [Stage Release](https://github.com/ansible/awx/blob/devel/.github/workflows/stage.yml) workflow for AWX and you don't need to do it as a separate step.
 
 If you need to do an independent release of the operator, you can run the [Stage Release](https://github.com/ansible/awx-operator/blob/devel/.github/workflows/stage.yml) in the awx-operator repo. Both of these workflows will run smoke tests, so there is no need to do this manually.
 
@@ -1092,3 +1421,14 @@ After the draft release is created, publish it and the [Promote AWX Operator ima
 ## Author
 
 This operator was originally built in 2019 by [Jeff Geerling](https://www.jeffgeerling.com) and is now maintained by the Ansible Team
+
+## Code of Conduct
+
+We ask all of our community members and contributors to adhere to the [Ansible code of conduct](http://docs.ansible.com/ansible/latest/community/code_of_conduct.html). If you have questions or need assistance, please reach out to our community team at [codeofconduct@ansible.com](mailto:codeofconduct@ansible.com)
+
+## Get Involved
+
+We welcome your feedback and ideas. The AWX operator uses the same mailing list and IRC channel as AWX itself. Here's how to reach us with feedback and questions:
+
+- Join the `#ansible-awx` channel on irc.libera.chat
+- Join the [mailing list](https://groups.google.com/forum/#!forum/awx-project)

SECURITY.md

@@ -0,0 +1,3 @@
+For all security related bugs, email security@ansible.com instead of using this issue tracker and you will receive a prompt response.
+
+For more information on the Ansible community's practices regarding responsible disclosure, see https://www.ansible.com/security

ansible/helm-release.yml

@@ -16,7 +16,7 @@
 
     - name: Build and package helm chart
       command: |
-        make helm-chart helm-package
+        make helm-package
       environment:
         VERSION: "{{ tag }}"
         IMAGE_TAG_BASE: "{{ operator_image }}"
@@ -37,6 +37,13 @@
       register: asset_upload
       changed_when: asset_upload.json.state == "uploaded"
 
+    - name: Configure git config
+      shell: |
+        git config user.name {{ gh_user }}
+        git config user.email {{ gh_user }}@users.noreply.github.com
+      args:
+        chdir: "{{ playbook_dir }}/../gh-pages"
+
     - name: Publish helm index
       command: |
         make helm-index
@@ -45,3 +52,11 @@
         CR_TOKEN: "{{ gh_token }}"
       args:
         chdir: "{{ playbook_dir }}/../"
+
+    - name: Stage and Push commit to gh-pages branch
+      shell: |
+        git add index.yaml
+        git commit -m "Updated index.yaml latest release"
+        git push
+      args:
+        chdir: "{{ playbook_dir }}/../gh-pages"

ansible/instantiate-awx-deployment.yml

@@ -26,6 +26,7 @@
             image_version: "{{ image_version | default(omit) }}"
             development_mode: "{{ development_mode | default(omit) | bool }}"
             image_pull_policy: "{{ image_pull_policy | default(omit) }}"
+            nodeport_port: "{{ nodeport_port | default(omit) }}"
             # ee_images:
             #   - name: test-ee
             #     image: quay.io/<user>/awx-ee

config/crd/bases/awx.ansible.com_awxbackups.yaml

@@ -0,0 +1,129 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: awxbackups.awx.ansible.com
+spec:
+  group: awx.ansible.com
+  names:
+    kind: AWXBackup
+    listKind: AWXBackupList
+    plural: awxbackups
+    singular: awxbackup
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    served: true
+    storage: true
+    subresources:
+      status: {}
+    schema:
+      openAPIV3Schema:
+        type: object
+        description: Schema validation for the AWXBackup CRD
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+            required:
+            - deployment_name
+            properties:
+              deployment_name:
+                description: Name of the deployment to be backed up
+                type: string
+              backup_pvc:
+                description: Name of the backup PVC
+                type: string
+              backup_pvc_namespace:
+                description: (Deprecated) Namespace the PVC is in
+                type: string
+              backup_storage_requirements:
+                description: Storage requirements for backup PVC (may be similar to existing postgres PVC backing up from)
+                type: string
+              backup_resource_requirements:
+                description: Resource requirements for the management pod used to create a backup
+                properties:
+                  requests:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                    type: object
+                  limits:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                    type: object
+                type: object
+              backup_storage_class:
+                description: Storage class to use when creating PVC for backup
+                type: string
+              clean_backup_on_delete:
+                description: Flag to indicate if backup should be deleted on PVC if AWXBackup object is deleted
+                type: boolean
+              pg_dump_suffix:
+                description: Additional parameters for the pg_dump command
+                type: string
+              postgres_label_selector:
+                description: Label selector used to identify postgres pod for backing up data
+                type: string
+              postgres_image:
+                description: Registry path to the PostgreSQL container to use
+                type: string
+              postgres_image_version:
+                description: PostgreSQL container image version to use
+                type: string
+              no_log:
+                description: Configure no_log for no_log tasks
+                type: boolean
+                default: true
+              additional_labels:
+                description: Additional labels defined on the resource, which should be propagated to child resources
+                type: array
+                items:
+                  type: string
+              set_self_labels:
+                description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
+                type: boolean
+                default: true
+          status:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+            properties:
+              conditions:
+                description: The resulting conditions when a Service Telemetry is instantiated
+                items:
+                  properties:
+                    lastTransitionTime:
+                      type: string
+                    reason:
+                      type: string
+                    status:
+                      type: string
+                    type:
+                      type: string
+                  type: object
+                type: array
+              backupDirectory:
+                description: Backup directory name on the specified pvc
+                type: string
+              backupClaim:
+                description: Backup persistent volume claim
+                type: string

config/crd/bases/awx.ansible.com_awxrestores.yaml

@@ -0,0 +1,128 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: awxrestores.awx.ansible.com
+spec:
+  group: awx.ansible.com
+  names:
+    kind: AWXRestore
+    listKind: AWXRestoreList
+    plural: awxrestores
+    singular: awxrestore
+  scope: Namespaced
+  versions:
+  - name: v1beta1
+    served: true
+    storage: true
+    subresources:
+      status: {}
+    schema:
+      openAPIV3Schema:
+        type: object
+        description: Schema validation for the AWXRestore CRD
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+            properties:
+              backup_source:
+                description: Backup source
+                type: string
+                enum:
+                - CR
+                - PVC
+              deployment_name:
+                description: Name of the restored deployment. This should be different from the original deployment name
+                  if the original deployment still exists.
+                type: string
+              cluster_name:
+                description: Cluster name
+                type: string
+              backup_name:
+                description: AWXBackup object name
+                type: string
+              backup_pvc:
+                description: Name of the PVC to be restored from, set as a status found on the awxbackup object (backupClaim)
+                type: string
+              backup_pvc_namespace:
+                description: (Deprecated) Namespace the PVC is in
+                type: string
+              backup_dir:
+                description: Backup directory name, set as a status found on the awxbackup object (backupDirectory)
+                type: string
+              restore_resource_requirements:
+                description: Resource requirements for the management pod that restores AWX from a backup
+                properties:
+                  requests:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                    type: object
+                  limits:
+                    properties:
+                      cpu:
+                        type: string
+                      memory:
+                        type: string
+                    type: object
+                type: object
+              postgres_label_selector:
+                description: Label selector used to identify postgres pod for backing up data
+                type: string
+              postgres_image:
+                description: Registry path to the PostgreSQL container to use
+                type: string
+              postgres_image_version:
+                description: PostgreSQL container image version to use
+                type: string
+              no_log:
+                description: Configure no_log for no_log tasks
+                type: boolean
+                default: true
+              additional_labels:
+                description: Additional labels defined on the resource, which should be propagated to child resources
+                type: array
+                items:
+                  type: string
+              set_self_labels:
+                description: Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
+                type: boolean
+                default: true
+          status:
+            type: object
+            x-kubernetes-preserve-unknown-fields: true
+            properties:
+              conditions:
+                description: The resulting conditions when a Service Telemetry is instantiated
+                items:
+                  properties:
+                    lastTransitionTime:
+                      type: string
+                    reason:
+                      type: string
+                    status:
+                      type: string
+                    type:
+                      type: string
+                  type: object
+                type: array
+              restoreComplete:
+                description: Restore process complete
+                type: boolean

config/crd/bases/awxbackup.ansible.com_awxbackups.yaml

@@ -1,77 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: awxbackups.awx.ansible.com
-spec:
-  group: awx.ansible.com
-  names:
-    kind: AWXBackup
-    listKind: AWXBackupList
-    plural: awxbackups
-    singular: awxbackup
-  scope: Namespaced
-  versions:
-    - name: v1beta1
-      served: true
-      storage: true
-      subresources:
-        status: {}
-      schema:
-        openAPIV3Schema:
-          type: object
-          x-kubernetes-preserve-unknown-fields: true
-          description: Schema validation for the AWXBackup CRD
-          properties:
-            spec:
-              type: object
-              required:
-                - deployment_name
-              properties:
-                deployment_name:
-                  description: Name of the deployment to be backed up
-                  type: string
-                backup_pvc:
-                  description: Name of the PVC to be used for storing the backup
-                  type: string
-                backup_pvc_namespace:
-                  description: Namespace the PVC is in
-                  type: string
-                backup_storage_requirements:
-                  description: Storage requirements for the PostgreSQL container
-                  type: string
-                backup_storage_class:
-                  description: Storage class to use when creating PVC for backup
-                  type: string
-                postgres_label_selector:
-                  description: Label selector used to identify postgres pod for backing up data
-                  type: string
-                postgres_image:
-                  description: Registry path to the PostgreSQL container to use
-                  type: string
-                postgres_image_version:
-                  description: PostgreSQL container image version to use
-                  type: string
-            status:
-              type: object
-              properties:
-                conditions:
-                  description: The resulting conditions when a Service Telemetry is instantiated
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    type: object
-                  type: array
-                backupDirectory:
-                  description: Backup directory name on the specified pvc
-                  type: string
-                backupClaim:
-                  description: Backup persistent volume claim
-                  type: string

config/crd/bases/awxrestore.ansible.com_awxrestores.yaml

@@ -1,78 +0,0 @@
----
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
-  name: awxrestores.awx.ansible.com
-spec:
-  group: awx.ansible.com
-  names:
-    kind: AWXRestore
-    listKind: AWXRestoreList
-    plural: awxrestores
-    singular: awxrestore
-  scope: Namespaced
-  versions:
-    - name: v1beta1
-      served: true
-      storage: true
-      subresources:
-        status: {}
-      schema:
-        openAPIV3Schema:
-          type: object
-          x-kubernetes-preserve-unknown-fields: true
-          description: Schema validation for the AWXRestore CRD
-          properties:
-            spec:
-              type: object
-              properties:
-                backup_source:
-                  description: Backup source
-                  type: string
-                  enum:
-                    - CR
-                    - PVC
-                deployment_name:
-                  description: Name of the deployment to be restored to
-                  type: string
-                backup_name:
-                  description: AWXBackup object name
-                  type: string
-                backup_pvc:
-                  description: Name of the PVC to be restored from, set as a status found on the awxbackup object (backupClaim)
-                  type: string
-                backup_pvc_namespace:
-                  description: Namespace the PVC is in
-                  type: string
-                backup_dir:
-                  description: Backup directory name, set as a status found on the awxbackup object (backupDirectory)
-                  type: string
-                postgres_label_selector:
-                  description: Label selector used to identify postgres pod for backing up data
-                  type: string
-                postgres_image:
-                  description: Registry path to the PostgreSQL container to use
-                  type: string
-                postgres_image_version:
-                  description: PostgreSQL container image version to use
-                  type: string
-            status:
-              type: object
-              properties:
-                conditions:
-                  description: The resulting conditions when a Service Telemetry is instantiated
-                  items:
-                    properties:
-                      lastTransitionTime:
-                        type: string
-                      reason:
-                        type: string
-                      status:
-                        type: string
-                      type:
-                        type: string
-                    type: object
-                  type: array
-                restoreComplete:
-                  description: Restore process complete
-                  type: boolean

config/crd/kustomization.yaml

@@ -1,9 +1,8 @@
----
 # This kustomization.yaml is not intended to be run by itself,
 # since it depends on service name and namespace that are out of this kustomize package.
 # It should be run by config/default
 resources:
-  - bases/awx.ansible.com_awxs.yaml
-  - bases/awxbackup.ansible.com_awxbackups.yaml
-  - bases/awxrestore.ansible.com_awxrestores.yaml
-# +kubebuilder:scaffold:crdkustomizeresource
+- bases/awx.ansible.com_awxs.yaml
+- bases/awx.ansible.com_awxbackups.yaml
+- bases/awx.ansible.com_awxrestores.yaml
+#+kubebuilder:scaffold:crdkustomizeresource

config/default/kustomization.yaml

@@ -1,24 +1,32 @@
 # Adds namespace to all resources.
 namespace: awx
+
 # Value of this field is prepended to the
 # names of all resources, e.g. a deployment named
 # "wordpress" becomes "alices-wordpress".
 # Note that it should also match with the prefix (text before '-') of the namespace
 # field above.
 namePrefix: awx-operator-
+
 # Labels to add to all resources and selectors.
-# commonLabels:
-#   someName: someValue
-  # [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
-  # - ../prometheus
-  # Protect the /metrics endpoint by putting it behind auth.
-  # If you want your controller-manager to expose the /metrics
-  # endpoint w/o any authn/z, please comment the following line.
-patchesStrategicMerge:
-- manager_auth_proxy_patch.yaml
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
+#labels:
+#- includeSelectors: true
+#  pairs:
+#    someName: someValue
+
 resources:
 - ../crd
 - ../rbac
 - ../manager
+# [PROMETHEUS] To enable prometheus monitor, uncomment all sections with 'PROMETHEUS'.
+#- ../prometheus
+
+patchesStrategicMerge:
+# Protect the /metrics endpoint by putting it behind auth.
+# If you want your controller-manager to expose the /metrics
+# endpoint w/o any authn/z, please comment the following line.
+- manager_auth_proxy_patch.yaml
+
+# Mount the controller config file for loading manager configurations
+# through a ComponentConfig type
+#- manager_config_patch.yaml

config/default/manager_auth_proxy_patch.yaml

@@ -1,4 +1,3 @@
----
 # This patch inject a sidecar container which is a HTTP proxy for the
 # controller manager, it performs RBAC authorization against the Kubernetes API using SubjectAccessReviews.
 apiVersion: apps/v1
@@ -10,20 +9,33 @@ spec:
   template:
     spec:
       containers:
-        - name: kube-rbac-proxy
-          image: gcr.io/kubebuilder/kube-rbac-proxy:v0.8.0
-          args:
-            - "--secure-listen-address=0.0.0.0:8443"
-            - "--upstream=http://127.0.0.1:8080/"
-            - "--logtostderr=true"
-            - "--v=10"
-          ports:
-            - containerPort: 8443
-              protocol: TCP
-              name: https
-        - name: awx-manager
-          args:
-            - "--health-probe-bind-address=:6789"
-            - "--metrics-bind-address=127.0.0.1:8080"
-            - "--leader-elect"
-            - "--leader-election-id=awx-operator"
+      - name: kube-rbac-proxy
+        securityContext:
+          allowPrivilegeEscalation: false
+        # TODO(user): uncomment for common cases that do not require escalating privileges
+        # capabilities:
+        #   drop:
+        #     - "ALL"
+        image: gcr.io/kubebuilder/kube-rbac-proxy:v0.13.0
+        args:
+        - "--secure-listen-address=0.0.0.0:8443"
+        - "--upstream=http://127.0.0.1:8080/"
+        - "--logtostderr=true"
+        - "--v=0"
+        ports:
+        - containerPort: 8443
+          protocol: TCP
+          name: https
+        resources:
+          limits:
+            cpu: 500m
+            memory: 128Mi
+          requests:
+            cpu: 5m
+            memory: 64Mi
+      - name: awx-manager
+        args:
+        - "--health-probe-bind-address=:6789"
+        - "--metrics-bind-address=127.0.0.1:8080"
+        - "--leader-elect"
+        - "--leader-election-id=awx-operator"

config/default/manager_config_patch.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -8,14 +7,14 @@ spec:
   template:
     spec:
       containers:
-        - name: awx-manager
-          args:
-            - "--config=controller_manager_config.yaml"
-          volumeMounts:
-            - name: awx-manager-config
-              mountPath: /controller_manager_config.yaml
-              subPath: controller_manager_config.yaml
-      volumes:
+      - name: awx-manager
+        args:
+        - "--config=controller_manager_config.yaml"
+        volumeMounts:
         - name: awx-manager-config
-          configMap:
-            name: awx-manager-config
+          mountPath: /controller_manager_config.yaml
+          subPath: controller_manager_config.yaml
+      volumes:
+      - name: awx-manager-config
+        configMap:
+          name: awx-manager-config

config/manager/controller_manager_config.yaml

@@ -1,10 +1,20 @@
----
-apiVersion: controller-runtime.sigs.k8s.io/v1beta1
+apiVersion: controller-runtime.sigs.k8s.io/v1alpha1
 kind: ControllerManagerConfig
 health:
   healthProbeBindAddress: :6789
 metrics:
   bindAddress: 127.0.0.1:8080
+
 leaderElection:
   leaderElect: true
   resourceName: 811c9dc5.ansible.com
+# leaderElectionReleaseOnCancel defines if the leader should step down volume
+# when the Manager ends. This requires the binary to immediately end when the
+# Manager is stopped, otherwise, this setting is unsafe. Setting this significantly
+# speeds up voluntary leader transitions as the new leader don't have to wait
+# LeaseDuration time first.
+# In the default scaffold provided, the program ends immediately after
+# the manager stops, so would be fine to enable this option. However,
+# if you are doing or is intended to do any operation such as perform cleanups
+# after the manager stops then its usage might be unsafe.
+# leaderElectionReleaseOnCancel: true

config/manager/kustomization.yaml

@@ -1,11 +1,14 @@
 resources:
 - manager.yaml
+
 generatorOptions:
   disableNameSuffixHash: true
+
 configMapGenerator:
-- files:
+- name: awx-manager-config
+  files:
   - controller_manager_config.yaml
-  name: awx-manager-config
+
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 images:

config/manager/manager.yaml

@@ -20,41 +20,62 @@ spec:
   replicas: 1
   template:
     metadata:
+      annotations:
+        kubectl.kubernetes.io/default-container: awx-manager
       labels:
         control-plane: controller-manager
     spec:
       securityContext:
         runAsNonRoot: true
+        # For common cases that do not require escalating privileges
+        # it is recommended to ensure that all your Pods/Containers are restrictive.
+        # More info: https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted
+        # Please uncomment the following code if your project does NOT have to work on old Kubernetes
+        # versions < 1.19 or on vendors versions which do NOT support this field by default (i.e. Openshift < 4.11 ).
+        # seccompProfile:
+        #   type: RuntimeDefault
       containers:
-        - args:
-            - --leader-elect
-            - --leader-election-id=awx-operator
-          image: controller:latest
-          name: awx-manager
-          env:
-            - name: ANSIBLE_GATHERING
-              value: explicit
-            - name: ANSIBLE_DEBUG_LOGS
-              value: 'false'
-            - name: WATCH_NAMESPACE
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.namespace
-          securityContext:
-            allowPrivilegeEscalation: false
-          livenessProbe:
-            httpGet:
-              path: /healthz
-              port: 6789
-            initialDelaySeconds: 15
-            periodSeconds: 20
-          readinessProbe:
-            httpGet:
-              path: /readyz
-              port: 6789
-            initialDelaySeconds: 5
-            periodSeconds: 10
+      - args:
+        - --leader-elect
+        - --leader-election-id=awx-operator
+        image: controller:latest
+        name: awx-manager
+        env:
+        - name: ANSIBLE_GATHERING
+          value: explicit
+        - name: ANSIBLE_DEBUG_LOGS
+          value: 'false'
+        - name: WATCH_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        securityContext:
+          allowPrivilegeEscalation: false
+        # TODO(user): uncomment for common cases that do not require escalating privileges
+          capabilities:
+            drop:
+            - "ALL"
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 6789
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 6789
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        # More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+        resources:
+          requests:
+            memory: "32Mi"
+            cpu: "50m"
+          limits:
+            memory: "4096Mi"
+            cpu: "2000m"
       serviceAccountName: controller-manager
       imagePullSecrets:
-        - name: redhat-operators-pull-secret
+      - name: redhat-operators-pull-secret
       terminationGracePeriodSeconds: 10

config/manifests/kustomization.yaml

@@ -1,8 +1,7 @@
----
 # These resources constitute the fully configured set of manifests
 # used to generate the 'manifests/' directory in a bundle.
 resources:
-  - bases/awx-operator.clusterserviceversion.yaml
-  - ../default
-  - ../samples
-  - ../scorecard
+- bases/awx-operator.clusterserviceversion.yaml
+- ../default
+- ../samples
+- ../scorecard

config/prometheus/kustomization.yaml

@@ -1,3 +1,2 @@
----
 resources:
-  - monitor.yaml
+- monitor.yaml

config/prometheus/monitor.yaml

@@ -1,4 +1,3 @@
----
 # Prometheus Monitor Service (Metrics)
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor

config/rbac/auth_proxy_client_clusterrole.yaml

@@ -1,10 +1,9 @@
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: metrics-reader
 rules:
-  - nonResourceURLs:
-      - "/metrics"
-    verbs:
-      - get
+- nonResourceURLs:
+  - "/metrics"
+  verbs:
+  - get

config/rbac/auth_proxy_role.yaml

@@ -1,18 +1,17 @@
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: proxy-role
 rules:
-  - apiGroups:
-      - authentication.k8s.io
-    resources:
-      - tokenreviews
-    verbs:
-      - create
-  - apiGroups:
-      - authorization.k8s.io
-    resources:
-      - subjectaccessreviews
-    verbs:
-      - create
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create

config/rbac/auth_proxy_role_binding.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -8,6 +7,6 @@ roleRef:
   kind: ClusterRole
   name: proxy-role
 subjects:
-  - kind: ServiceAccount
-    name: controller-manager
-    namespace: system
+- kind: ServiceAccount
+  name: controller-manager
+  namespace: system

config/rbac/auth_proxy_service.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: v1
 kind: Service
 metadata:
@@ -8,9 +7,9 @@ metadata:
   namespace: system
 spec:
   ports:
-    - name: https
-      port: 8443
-      protocol: TCP
-      targetPort: https
+  - name: https
+    port: 8443
+    protocol: TCP
+    targetPort: https
   selector:
     control-plane: controller-manager

config/rbac/awx_editor_role.yaml

@@ -1,25 +1,24 @@
----
 # permissions for end users to edit awxs.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: awx-editor-role
 rules:
-  - apiGroups:
-      - awx.ansible.com
-    resources:
-      - awxs
-    verbs:
-      - create
-      - delete
-      - get
-      - list
-      - patch
-      - update
-      - watch
-  - apiGroups:
-      - awx.ansible.com
-    resources:
-      - awxs/status
-    verbs:
-      - get
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxs
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxs/status
+  verbs:
+  - get

config/rbac/awx_viewer_role.yaml

@@ -1,21 +1,20 @@
----
 # permissions for end users to view awxs.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   name: awx-viewer-role
 rules:
-  - apiGroups:
-      - awx.ansible.com
-    resources:
-      - awxs
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - awx.ansible.com
-    resources:
-      - awxs/status
-    verbs:
-      - get
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxs/status
+  verbs:
+  - get

config/rbac/awxbackup_editor_role.yaml

@@ -0,0 +1,24 @@
+# permissions for end users to edit awxbackups.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: awxbackup-editor-role
+rules:
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxbackups
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxbackups/status
+  verbs:
+  - get

config/rbac/awxbackup_viewer_role.yaml

@@ -0,0 +1,20 @@
+# permissions for end users to view awxbackups.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: awxbackup-viewer-role
+rules:
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxbackups
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxbackups/status
+  verbs:
+  - get

config/rbac/awxrestore_editor_role.yaml

@@ -0,0 +1,24 @@
+# permissions for end users to edit awxrestores.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: awxrestore-editor-role
+rules:
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxrestores
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxrestores/status
+  verbs:
+  - get

config/rbac/awxrestore_viewer_role.yaml

@@ -0,0 +1,20 @@
+# permissions for end users to view awxrestores.
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: awxrestore-viewer-role
+rules:
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxrestores
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - awx.ansible.com
+  resources:
+  - awxrestores/status
+  verbs:
+  - get

config/rbac/kustomization.yaml

@@ -1,19 +1,18 @@
----
 resources:
-  # All RBAC will be applied under this service account in
-  # the deployment namespace. You may comment out this resource
-  # if your manager will use a service account that exists at
-  # runtime. Be sure to update RoleBinding and ClusterRoleBinding
-  # subjects if changing service account names.
-  - service_account.yaml
-  - role.yaml
-  - role_binding.yaml
-  - leader_election_role.yaml
-  - leader_election_role_binding.yaml
-  # Comment the following 4 lines if you want to disable
-  # the auth proxy (https://github.com/brancz/kube-rbac-proxy)
-  # which protects your /metrics endpoint.
-  - auth_proxy_service.yaml
-  - auth_proxy_role.yaml
-  - auth_proxy_role_binding.yaml
-  - auth_proxy_client_clusterrole.yaml
+# All RBAC will be applied under this service account in
+# the deployment namespace. You may comment out this resource
+# if your manager will use a service account that exists at
+# runtime. Be sure to update RoleBinding and ClusterRoleBinding
+# subjects if changing service account names.
+- service_account.yaml
+- role.yaml
+- role_binding.yaml
+- leader_election_role.yaml
+- leader_election_role_binding.yaml
+# Comment the following 4 lines if you want to disable
+# the auth proxy (https://github.com/brancz/kube-rbac-proxy)
+# which protects your /metrics endpoint.
+- auth_proxy_service.yaml
+- auth_proxy_role.yaml
+- auth_proxy_role_binding.yaml
+- auth_proxy_client_clusterrole.yaml

config/rbac/leader_election_role.yaml

@@ -1,38 +1,37 @@
----
 # permissions to do leader election.
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
   name: leader-election-role
 rules:
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-    verbs:
-      - get
-      - list
-      - watch
-      - create
-      - update
-      - patch
-      - delete
-  - apiGroups:
-      - coordination.k8s.io
-    resources:
-      - leases
-    verbs:
-      - get
-      - list
-      - watch
-      - create
-      - update
-      - patch
-      - delete
-  - apiGroups:
-      - ""
-    resources:
-      - events
-    verbs:
-      - create
-      - patch
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch

config/rbac/leader_election_role_binding.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
@@ -8,6 +7,6 @@ roleRef:
   kind: Role
   name: leader-election-role
 subjects:
-  - kind: ServiceAccount
-    name: controller-manager
-    namespace: system
+- kind: ServiceAccount
+  name: controller-manager
+  namespace: system

config/rbac/role.yaml

@@ -20,7 +20,6 @@ rules:
       - watch
   - apiGroups:
       - ""
-      - "rbac.authorization.k8s.io"
     resources:
       - pods
       - services
@@ -31,6 +30,17 @@ rules:
       - events
       - configmaps
       - secrets
+    verbs:
+      - get
+      - list
+      - create
+      - delete
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - "rbac.authorization.k8s.io"
+    resources:
       - roles
       - rolebindings
     verbs:
@@ -43,12 +53,22 @@ rules:
       - watch
   - apiGroups:
       - apps
-      - networking.k8s.io
     resources:
       - deployments
       - daemonsets
       - replicasets
       - statefulsets
+    verbs:
+      - get
+      - list
+      - create
+      - delete
+      - patch
+      - update
+      - watch
+  - apiGroups:
+      - networking.k8s.io
+    resources:
       - ingresses
     verbs:
       - get

config/rbac/service_account.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: v1
 kind: ServiceAccount
 metadata:

config/samples/awx_v1beta1_awxbackup.yaml

@@ -0,0 +1,13 @@
+apiVersion: awx.ansible.com/v1beta1
+kind: AWXBackup
+metadata:
+  name: example-awx-backup
+spec:
+  deployment_name: example-awx
+  backup_resource_requirements:
+    limits:
+      cpu: "1000m"
+      memory: "4096Mi"
+    requests:
+      cpu: "25m"
+      memory: "32Mi"

config/samples/awx_v1beta1_awxrestore.yaml

@@ -0,0 +1,14 @@
+apiVersion: awx.ansible.com/v1beta1
+kind: AWXRestore
+metadata:
+  name: awxrestore-sample
+spec:
+  deployment_name: example-awx-2
+  backup_name: example-awx-backup
+  restore_resource_requirements:
+    limits:
+      cpu: "1000m"
+      memory: "4096Mi"
+    requests:
+      cpu: "25m"
+      memory: "32Mi"

config/samples/kustomization.yaml

@@ -1,5 +1,6 @@
----
 ## Append samples you want in your CSV to this file as resources ##
 resources:
-  - awx_v1beta1_awx.yaml
-# +kubebuilder:scaffold:manifestskustomizesamples
+- awx_v1beta1_awx.yaml
+- awx_v1beta1_awxbackup.yaml
+- awx_v1beta1_awxrestore.yaml
+#+kubebuilder:scaffold:manifestskustomizesamples

config/scorecard/bases/config.yaml

@@ -1,8 +1,7 @@
----
 apiVersion: scorecard.operatorframework.io/v1alpha3
 kind: Configuration
 metadata:
   name: config
 stages:
-  - parallel: true
-    tests: []
+- parallel: true
+  tests: []

config/scorecard/kustomization.yaml

@@ -1,17 +1,16 @@
----
 resources:
-  - bases/config.yaml
+- bases/config.yaml
 patchesJson6902:
-  - path: patches/basic.config.yaml
-    target:
-      group: scorecard.operatorframework.io
-      version: v1alpha3
-      kind: Configuration
-      name: config
-  - path: patches/olm.config.yaml
-    target:
-      group: scorecard.operatorframework.io
-      version: v1alpha3
-      kind: Configuration
-      name: config
-# +kubebuilder:scaffold:patchesJson6902
+- path: patches/basic.config.yaml
+  target:
+    group: scorecard.operatorframework.io
+    version: v1alpha3
+    kind: Configuration
+    name: config
+- path: patches/olm.config.yaml
+  target:
+    group: scorecard.operatorframework.io
+    version: v1alpha3
+    kind: Configuration
+    name: config
+#+kubebuilder:scaffold:patchesJson6902

config/scorecard/patches/basic.config.yaml

@@ -1,11 +1,10 @@
----
 - op: add
   path: /stages/0/tests/-
   value:
     entrypoint:
-      - scorecard-test
-      - basic-check-spec
-    image: quay.io/operator-framework/scorecard-test:v1.12.0
+    - scorecard-test
+    - basic-check-spec
+    image: quay.io/operator-framework/scorecard-test:v1.26.0
     labels:
       suite: basic
       test: basic-check-spec-test

config/scorecard/patches/olm.config.yaml

@@ -1,11 +1,10 @@
----
 - op: add
   path: /stages/0/tests/-
   value:
     entrypoint:
-      - scorecard-test
-      - olm-bundle-validation
-    image: quay.io/operator-framework/scorecard-test:v1.12.0
+    - scorecard-test
+    - olm-bundle-validation
+    image: quay.io/operator-framework/scorecard-test:v1.26.0
     labels:
       suite: olm
       test: olm-bundle-validation-test
@@ -13,9 +12,9 @@
   path: /stages/0/tests/-
   value:
     entrypoint:
-      - scorecard-test
-      - olm-crds-have-validation
-    image: quay.io/operator-framework/scorecard-test:v1.12.0
+    - scorecard-test
+    - olm-crds-have-validation
+    image: quay.io/operator-framework/scorecard-test:v1.26.0
     labels:
       suite: olm
       test: olm-crds-have-validation-test
@@ -23,9 +22,9 @@
   path: /stages/0/tests/-
   value:
     entrypoint:
-      - scorecard-test
-      - olm-crds-have-resources
-    image: quay.io/operator-framework/scorecard-test:v1.12.0
+    - scorecard-test
+    - olm-crds-have-resources
+    image: quay.io/operator-framework/scorecard-test:v1.26.0
     labels:
       suite: olm
       test: olm-crds-have-resources-test
@@ -33,9 +32,9 @@
   path: /stages/0/tests/-
   value:
     entrypoint:
-      - scorecard-test
-      - olm-spec-descriptors
-    image: quay.io/operator-framework/scorecard-test:v1.12.0
+    - scorecard-test
+    - olm-spec-descriptors
+    image: quay.io/operator-framework/scorecard-test:v1.26.0
     labels:
       suite: olm
       test: olm-spec-descriptors-test
@@ -43,9 +42,9 @@
   path: /stages/0/tests/-
   value:
     entrypoint:
-      - scorecard-test
-      - olm-status-descriptors
-    image: quay.io/operator-framework/scorecard-test:v1.12.0
+    - scorecard-test
+    - olm-status-descriptors
+    image: quay.io/operator-framework/scorecard-test:v1.26.0
     labels:
       suite: olm
       test: olm-status-descriptors-test

config/testing/kustomization.yaml

@@ -1,13 +1,17 @@
 # Adds namespace to all resources.
 namespace: osdk-test
+
 namePrefix: osdk-
+
 # Labels to add to all resources and selectors.
-# commonLabels:
-#   someName: someValue
+#commonLabels:
+#  someName: someValue
+
 patchesStrategicMerge:
 - manager_image.yaml
 - debug_logs_patch.yaml
 - ../default/manager_auth_proxy_patch.yaml
+
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
@@ -17,5 +21,3 @@ resources:
 images:
 - name: testing
   newName: testing-operator
-patches:
-- path: pull_policy/Never.yaml

docs/debugging.md

@@ -35,6 +35,19 @@ ansible_operator_meta:
   namespace: awx
 service_type: nodeport
 ```
+The vars file will replace the awx resource so any value that you wish to over ride using the awx resource, put in the vars file. For example, if you wish to use your own image, version and pull policy, you can specify it like below:
+
+```yaml
+# vars.yml
+---
+ansible_operator_meta:
+  name: awx
+  namespace: awx
+service_type: nodeport
+image: $DEV_DOCKER_TAG_BASE/awx_kube_devel
+image_pull_policy: Always
+image_version: $COMPOSE_TAG
+```
 
 Run the installer:
 

docs/migration.md

@@ -34,7 +34,7 @@ metadata:
   namespace: <target namespace>
 stringData:
   host: <external ip or url resolvable by the cluster>
-  port: <external port, this usually defaults to 5432>
+  port: "<external port, this usually defaults to 5432>"    # quotes are required
   database: <desired database name>
   username: <username to connect as>
   password: <password to connect with>

molecule/default/destroy.yml

@@ -19,6 +19,6 @@
         state: absent
 
     - name: Unset pull policy
-      command: '{{ kustomize }} edit remove patch pull_policy/{{ operator_pull_policy }}.yaml'
+      command: '{{ kustomize }} edit remove patch --path pull_policy/{{ operator_pull_policy }}.yaml'
       args:
         chdir: '{{ config_dir }}/testing'

molecule/default/kustomize.yml

@@ -1,6 +1,6 @@
 ---
 - name: Build kustomize testing overlay
-  # load_restrictor must be set to none so we can load patch files from the default overlay
+  # load-restrictor must be set to none so we can load patch files from the default overlay
   command: '{{ kustomize }} build  --load-restrictor LoadRestrictionsNone .'
   args:
     chdir: '{{ config_dir }}/testing'

molecule/default/tasks/awx_test.yml

@@ -28,7 +28,7 @@
       register: awx_pod
       when: not awx_version
 
-    - name: Exract tags from images
+    - name: Extract tags from images
       set_fact:
         image_tags: |
           {{ awx_pod.resources[0].spec.containers |
@@ -49,13 +49,13 @@
         name: Demo Job Template
         wait: yes
         validate_certs: no
-        controller_host: localhost
+        controller_host: localhost/awx/
         controller_username: admin
         controller_password: "{{ admin_pw_secret.resources[0].data.password | b64decode }}"
   rescue:
     - name: Get list of project updates and jobs
       uri:
-        url: "http://localhost/api/v2/{{ resource }}/"
+        url: "http://localhost/awx/api/v2/{{ resource }}/"
         user: admin
         password: "{{ admin_pw_secret.resources[0].data.password | b64decode }}"
         force_basic_auth: yes
@@ -83,3 +83,61 @@
           result: '{{ ansible_failed_result }}'
       fail:
         msg: '{{ failed_task }}'
+
+- block:
+    - name: Look up details for this deployment
+      k8s_info:
+        namespace: "{{ namespace }}"
+        api_version: "awx.ansible.com/v1beta1"
+        kind: AWX
+        name: example-awx
+      register: this_awx
+
+    - name: Get pod details
+      k8s_info:
+        namespace: '{{ namespace }}'
+        kind: Pod
+        label_selectors:
+          - app.kubernetes.io/name = example-awx
+      register: awx_pod
+
+    - name: Extract additional_labels from AWX spec
+      set_fact:
+        awx_additional_labels: >-
+          {{ this_awx.resources[0].metadata.labels
+             | dict2items | selectattr('key', 'in', this_awx.resources[0].spec.additional_labels)
+             | list
+          }}
+
+    - name: Extract additional_labels from AWX Pod
+      set_fact:
+        pod_additional_labels: >-
+          {{ awx_pod.resources[0].metadata.labels
+             | dict2items | selectattr('key', 'in', this_awx.resources[0].spec.additional_labels)
+             | list
+          }}
+
+    - name: AWX Pod contains additional_labels
+      ansible.builtin.assert:
+        that:
+          - pod_additional_labels == awx_additional_labels
+
+    - name: Extract Pod labels which shouldn't have been propagated to it from AWX
+      set_fact:
+        pod_extra_labels: >-
+          {{ awx_pod.resources[0].metadata.labels
+             | dict2items | selectattr('key', 'in', ["my/do-not-inherit"])
+             | list
+          }}
+
+    - name: AWX Pod doesn't contain AWX labels not in additional_labels
+      ansible.builtin.assert:
+        that:
+          - pod_extra_labels == []
+  rescue:
+    - name: Re-emit failure
+      vars:
+        failed_task:
+          result: '{{ ansible_failed_result }}'
+      fail:
+        msg: '{{ failed_task }}'

molecule/default/tasks/awxbackup_test.yml

@@ -0,0 +1,18 @@
+---
+# - name: Create the awx.ansible.com/v1beta1.AWXBackup
+#   k8s:
+#     state: present
+#     namespace: '{{ namespace }}'
+#     definition: "{{ lookup('template', '/'.join([samples_dir, cr_file])) | from_yaml }}"
+#     wait: yes
+#     wait_timeout: 300
+#     wait_condition:
+#       type: Successful
+#       status: "True"
+#   vars:
+#     cr_file: 'awx_v1beta1_awxbackup.yaml'
+#
+# - name: Add assertions here
+#   assert:
+#     that: false
+#     fail_msg: FIXME Add real assertions for your operator

molecule/default/tasks/awxrestore_test.yml

@@ -0,0 +1,18 @@
+---
+# - name: Create the awx.ansible.com/v1beta1.AWXRestore
+#   k8s:
+#     state: present
+#     namespace: '{{ namespace }}'
+#     definition: "{{ lookup('template', '/'.join([samples_dir, cr_file])) | from_yaml }}"
+#     wait: yes
+#     wait_timeout: 300
+#     wait_condition:
+#       type: Successful
+#       status: "True"
+#   vars:
+#     cr_file: 'awx_v1beta1_awxrestore.yaml'
+#
+# - name: Add assertions here
+#   assert:
+#     that: false
+#     fail_msg: FIXME Add real assertions for your operator

molecule/default/templates/awx_cr_molecule.yml.j2

@@ -3,6 +3,10 @@ apiVersion: awx.ansible.com/v1beta1
 kind: AWX
 metadata:
   name: example-awx
+  labels:
+    my/team: "foo"
+    my/service: "bar"
+    my/do-not-inherit: "yes"
 spec:
 {% if awx_image %}
   image: {{ awx_image }}
@@ -11,6 +15,7 @@ spec:
   image_version: {{ awx_version }}
 {% endif %}
   ingress_type: ingress
+  ingress_path: /awx
   ingress_annotations: |
     kubernetes.io/ingress.class: nginx
   web_resource_requirements:
@@ -25,6 +30,10 @@ spec:
     requests:
       cpu: 50m
       memory: 16M
+  no_log: false
   postgres_resource_requirements: {}
   postgres_init_container_resource_requirements: {}
   redis_resource_requirements: {}
+  additional_labels:
+  - my/team
+  - my/service

molecule/kind/destroy.yml

@@ -11,6 +11,6 @@
       command: kind delete cluster --name osdk-test --kubeconfig {{ kubeconfig }}
 
     - name: Unset pull policy
-      command: '{{ kustomize }} edit remove patch pull_policy/{{ operator_pull_policy }}.yaml'
+      command: '{{ kustomize }} edit remove patch --path pull_policy/{{ operator_pull_policy }}.yaml'
       args:
         chdir: '{{ config_dir }}/testing'

molecule/requirements.txt

@@ -1,4 +1,4 @@
-molecule
+molecule<4.0.2
 molecule-docker
 yamllint
 ansible-lint

molecule/requirements.yml

@@ -2,7 +2,7 @@
 collections:
   - name: community.general
   - name: kubernetes.core
-    version: 1.2.1
+    version: 2.3.2
   - name: operator_sdk.util
   - name: community.docker
   - name: awx.awx

playbooks/awx.yml

@@ -0,0 +1,31 @@
+---
+- hosts: localhost
+  gather_facts: no
+  collections:
+    - kubernetes.core
+    - operator_sdk.util
+  vars:
+    no_log: true
+  pre_tasks:
+    - name: Verify imagePullSecrets
+      k8s_info:
+        kind: Secret
+        namespace: '{{ ansible_operator_meta.namespace }}'
+        name: redhat-operators-pull-secret
+      register: _rh_ops_secret
+      no_log: "{{ no_log }}"
+    - name: Create imagePullSecret
+      k8s:
+        state: present
+        definition:
+          apiVersion: v1
+          kind: Secret
+          metadata:
+            name: redhat-operators-pull-secret
+            namespace: '{{ ansible_operator_meta.namespace }}'
+          stringData:
+            operator: awx
+      when:
+        - (_rh_ops_secret is not defined) or not (_rh_ops_secret['resources'] | length)
+  roles:
+    - installer

requirements.yml

@@ -1,6 +1,6 @@
 ---
 collections:
   - name: kubernetes.core
-    version: '==1.2.1'
+    version: '>=2.3.2'
   - name: operator_sdk.util
-    version: "0.2.0"
+    version: "0.4.0"

roles/backup/README.md

@@ -45,7 +45,7 @@ The resulting pvc will contain a backup tar that can be used to restore to a new
 Role Variables
 --------------
 
-A custom, pre-created pvc can be used by setting the following variables.  
+A custom, pre-created pvc can be used by setting the following variables.
 
 ```
 backup_pvc: 'awx-backup-volume-claim'
@@ -62,18 +62,42 @@ backup_storage_requirements: '20Gi'
 
 By default, the backup pvc will be created in the same namespace the awxbackup object is created in.  If you want your backup to be stored
 in a specific namespace, you can do so by specifying `backup_pvc_namespace`.  Keep in mind that you will
-need to provide the same namespace when restoring.  
+need to provide the same namespace when restoring.
 
 ```
 backup_pvc_namespace: 'custom-namespace'
 ```
+The backup pvc will be created in the same namespace the awxbackup object is created in.
 
-If a custom postgres configuration secret was used when deploying AWX, it will automatically be used by the backup role.  
-To check the name of this secret, look at the postgresConfigurationSecret status on your AWX object.  
+If a custom postgres configuration secret was used when deploying AWX, it will automatically be used by the backup role.
+To check the name of this secret, look at the postgresConfigurationSecret status on your AWX object.
 
 The postgresql pod for the old deployment is used when backing up data to the new postgresql pod.  If your postgresql pod has a custom label,
 you can pass that via the `postgres_label_selector` variable to make sure the postgresql pod can be found.
 
+It is also possible to tie the lifetime of the backup files to that of the AWXBackup resource object. To do that you can set the
+`clean_backup_on_delete` value to true. This will delete the `backupDirectory` on the pvc associated with the AWXBackup object deleted.
+
+```
+clean_backup_on_delete: true
+```
+
+Variable to define resources limits and request for backup CR.
+```
+backup_resource_requirements:
+  limits:
+    cpu: "1000m"
+    memory: "4096Mi"
+  requests:
+    cpu: "25m"
+    memory: "32Mi"
+```
+
+To customize the pg_dump command that will be executed on a backup use the `pg_dump_suffix` variable. This variable will append your provided pg_dump parameters to the end of the 'standard' command. For example to exclude the data from 'main_jobevent' and 'main_job' to decrease the size of the backup use:
+
+```
+pg_dump_suffix: "--exclude-table-data 'main_jobevent*' --exclude-table-data 'main_job'"
+```
 
 Testing
 ----------------

roles/backup/defaults/main.yml

@@ -10,3 +10,30 @@ backup_pvc_namespace: "{{ ansible_operator_meta.namespace }}"
 
 # Size of backup PVC if created dynamically
 backup_storage_requirements: ''
+
+# Set no_log settings on certain tasks
+no_log: true
+
+# Variable to set when you want backups to be cleaned up when the CRD object is deleted
+clean_backup_on_delete: false
+
+# Variable to signal that this role is being run as a finalizer
+finalizer_run: false
+
+# Default resource requirements
+backup_resource_requirements:
+  limits:
+    cpu: "1000m"
+    memory: "4096Mi"
+  requests:
+    cpu: "25m"
+    memory: "32Mi"
+# Allow additional parameters to be added to the pg_dump backup command
+pg_dump_suffix: ''
+
+# Labels defined on the resource, which should be propagated to child resources
+additional_labels: []
+
+# Maintain some of the recommended `app.kubernetes.io/*` labels on the resource (self)
+set_self_labels: true
+...

roles/backup/meta/main.yml

@@ -24,7 +24,8 @@ galaxy_info:
     - backup
     - automation
 
-dependencies: []
+dependencies:
+  - role: common
 
 collections:
   - kubernetes.core

roles/backup/tasks/awx-cro.yml

@@ -25,10 +25,11 @@
   set_fact:
     awx_spec:
       spec: "{{ _awx }}"
+      previous_deployment_name: "{{ this_awx['resources'][0]['metadata']['name'] }}"
 
 - name: Write awx object to pvc
-  k8s_exec:
+  k8s_cp:
     namespace: "{{ backup_pvc_namespace }}"
     pod: "{{ ansible_operator_meta.name }}-db-management"
-    command: >-
-      bash -c 'echo "$0" > {{ backup_dir  }}/awx_object' {{ awx_spec | to_yaml | quote  }}
+    remote_path: "{{ backup_dir  }}/awx_object"
+    content: "{{ awx_spec | to_yaml }}"

roles/backup/tasks/creation.yml

@@ -0,0 +1,53 @@
+---
+- name: Patching labels to {{ kind }} kind
+  k8s:
+    state: present
+    definition:
+      apiVersion: "{{ api_version }}"
+      kind: "{{ kind }}"
+      name: "{{ ansible_operator_meta.name }}"
+      namespace: "{{ ansible_operator_meta.namespace }}"
+      metadata:
+        name: "{{ ansible_operator_meta.name }}"
+        namespace: "{{ ansible_operator_meta.namespace }}"
+        labels: '{{ lookup("template", "../common/templates/labels/common.yaml.j2") | from_yaml }}'
+  when: set_self_labels | bool
+
+- name: Look up details for this backup object
+  k8s_info:
+    api_version: "{{ api_version }}"
+    kind: "{{ kind }}"
+    name: "{{ ansible_operator_meta.name }}"
+    namespace: "{{ ansible_operator_meta.namespace }}"
+  register: this_backup
+
+- name: Build `additional_labels_items` labels from `additional_labels`
+  set_fact:
+    additional_labels_items: >-
+      {{ this_backup['resources'][0]['metadata']['labels']
+         | dict2items | selectattr('key', 'in', additional_labels)
+      }}
+  when:
+  - additional_labels | length
+  - this_backup['resources'][0]['metadata']['labels']
+
+- block:
+  - include_tasks: init.yml
+
+  - include_tasks: postgres.yml
+
+  - include_tasks: awx-cro.yml
+
+  - include_tasks: secrets.yml
+
+  - name: Set flag signifying this backup was successful
+    set_fact:
+      backup_complete: true
+
+  - include_tasks: cleanup.yml
+
+  when:
+  - this_backup['resources'][0]['status']['backupDirectory'] is not defined
+
+- name: Update status variables
+  include_tasks: update_status.yml

roles/backup/tasks/delete_backup.yml

@@ -0,0 +1,7 @@
+---
+- name: Cleanup backup associated with this option if enabled
+  k8s_exec:
+    namespace: "{{ backup_pvc_namespace }}"
+    pod: "{{ ansible_operator_meta.name }}-db-management"
+    command: >-
+      bash -c 'rm -rf {{ backup_dir  }}'

roles/backup/tasks/dump_generated_secret.yml

@@ -25,15 +25,15 @@
       namespace: '{{ ansible_operator_meta.namespace }}'
       name: "{{ _name }}"
   register: _secret
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Set secret data
   set_fact:
       _data: "{{ _secret['resources'][0]['data'] }}"
       _type: "{{ _secret['resources'][0]['type'] }}"
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Create and Add secret names and data to dictionary
   set_fact:
       secret_dict: "{{ secret_dict | default({}) | combine({ item: {'name': _name, 'data': _data, 'type': _type }}) }}"
-  no_log: true
+  no_log: "{{ no_log }}"

roles/backup/tasks/dump_receptor_secrets.yml

@@ -0,0 +1,24 @@
+---
+
+- name: Get secret
+  k8s_info:
+    version: v1
+    kind: Secret
+    namespace: '{{ ansible_operator_meta.namespace }}'
+    name: "{{ item }}"
+  register: _secret
+  no_log: "{{ no_log }}"
+
+- name: Backup secret if exists
+  block:
+    - name: Set secret key
+      set_fact:
+        _data: "{{ _secret['resources'][0]['data'] }}"
+        _type: "{{ _secret['resources'][0]['type'] }}"
+      no_log: "{{ no_log }}"
+
+    - name: Create and Add secret names and data to dictionary
+      set_fact:
+        secret_dict: "{{ secret_dict | default({}) | combine({item: { 'name': item, 'data': _data, 'type': _type }}) }}"
+      no_log: "{{ no_log }}"
+  when: _secret | length

roles/backup/tasks/dump_secret.yml

@@ -13,16 +13,16 @@
             namespace: '{{ ansible_operator_meta.namespace }}'
             name: "{{ _name }}"
         register: _secret
-        no_log: true
+        no_log: "{{ no_log }}"
 
       - name: Set secret key
         set_fact:
             _data: "{{ _secret['resources'][0]['data'] }}"
             _type: "{{ _secret['resources'][0]['type'] }}"
-        no_log: true
+        no_log: "{{ no_log }}"
 
       - name: Create and Add secret names and data to dictionary
         set_fact:
             secret_dict: "{{ secret_dict | default({}) | combine({item: { 'name': _name, 'data': _data, 'type': _type }}) }}"
-        no_log: true
+        no_log: "{{ no_log }}"
   when: _name != ''

roles/backup/tasks/finalizer.yml

@@ -0,0 +1,20 @@
+---
+- name: Look up details for this backup object
+  k8s_info:
+    api_version: "{{ api_version }}"
+    kind: "{{ kind }}"
+    name: "{{ ansible_operator_meta.name }}"
+    namespace: "{{ ansible_operator_meta.namespace }}"
+  register: this_backup
+
+- block:
+    - include_tasks: init.yml
+
+    - include_tasks: delete_backup.yml
+
+    - include_tasks: cleanup.yml
+  vars:
+    backup_dir: "{{ this_backup['resources'][0]['status']['backupDirectory'] | default() }}"
+  when:
+    - clean_backup_on_delete
+    - backup_dir | length > 0

roles/backup/tasks/init.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: Delete any existing management pod
   k8s:
     name: "{{ ansible_operator_meta.name }}-db-management"
@@ -57,8 +56,8 @@
           apiVersion: v1
           kind: PersistentVolumeClaim
           metadata:
-            name: '{{ deployment_name }}-backup-claim'
-            namespace: '{{ backup_pvc_namespace }}'
+            name: "{{ deployment_name }}-backup-claim"
+            namespace: "{{ backup_pvc_namespace }}"
             ownerReferences: null
   when:
     - backup_pvc == '' or backup_pvc is not defined

roles/backup/tasks/main.yml

@@ -1,47 +1,8 @@
 ---
-- name: Patching labels to {{ kind }} kind
-  k8s:
-    state: present
-    definition:
-      apiVersion: '{{ api_version }}'
-      kind: '{{ kind }}'
-      name: '{{ ansible_operator_meta.name }}'
-      namespace: '{{ ansible_operator_meta.namespace }}'
-      metadata:
-        name: '{{ ansible_operator_meta.name }}'
-        namespace: '{{ ansible_operator_meta.namespace }}'
-        labels:
-          app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
-          app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
-          app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
-          app.kubernetes.io/component: '{{ deployment_type }}'
-          app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
+- name: Run creation tasks
+  include_tasks: creation.yml
+  when: not finalizer_run
 
-- name: Look up details for this backup object
-  k8s_info:
-    api_version: "{{ api_version }}"
-    kind: "{{ kind }}"
-    name: "{{ ansible_operator_meta.name }}"
-    namespace: "{{ ansible_operator_meta.namespace }}"
-  register: this_backup
-
-- block:
-    - include_tasks: init.yml
-
-    - include_tasks: postgres.yml
-
-    - include_tasks: awx-cro.yml
-
-    - include_tasks: secrets.yml
-
-    - name: Set flag signifying this backup was successful
-      set_fact:
-        backup_complete: true
-
-    - include_tasks: cleanup.yml
-
-  when:
-    - this_backup['resources'][0]['status']['backupDirectory'] is not defined
-
-- name: Update status variables
-  include_tasks: update_status.yml
+- name: Run finalizer tasks
+  include_tasks: finalizer.yml
+  when: finalizer_run

roles/backup/tasks/postgres.yml

@@ -6,7 +6,7 @@
     namespace: '{{ ansible_operator_meta.namespace }}'
     name: "{{ this_awx['resources'][0]['status']['postgresConfigurationSecret'] }}"
   register: pg_config
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Fail if postgres configuration secret status does not exist
   fail:
@@ -21,12 +21,12 @@
     awx_postgres_port: "{{ pg_config['resources'][0]['data']['port'] | b64decode }}"
     awx_postgres_host: "{{ pg_config['resources'][0]['data']['host'] | b64decode }}"
     awx_postgres_type: "{{ pg_config['resources'][0]['data']['type'] | default('unmanaged'|b64encode) | b64decode }}"
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - block:
     - name: Delete pod to reload a resource configuration
       set_fact:
-        postgres_label_selector: "app.kubernetes.io/instance=postgres-{{ deployment_name }}"
+        postgres_label_selector: "app.kubernetes.io/instance=postgres-{{ supported_pg_version }}-{{ deployment_name }}"
       when: postgres_label_selector is not defined
 
     - name: Get the postgres pod information
@@ -50,7 +50,7 @@
 
 - name: Determine the timestamp for the backup once for all nodes
   set_fact:
-    now: '{{ lookup("pipe", "date +%F-%T") }}'
+    now: '{{ lookup("pipe", "date +%F-%H%M%S") }}'
 
 - name: Set backup directory name
   set_fact:
@@ -75,12 +75,12 @@
     namespace: "{{ backup_pvc_namespace }}"
     pod: "{{ ansible_operator_meta.name }}-db-management"
     command: >-
-      bash -c "chmod 0600 {{ backup_dir }}/tower.db && chown postgres:root {{ backup_dir }}/tower.db"
+      bash -c "chmod 660 {{ backup_dir }}/tower.db && chown :root {{ backup_dir }}/tower.db"
 
 - name: Set full resolvable host name for postgres pod
   set_fact:
     resolvable_db_host: '{{ (awx_postgres_type == "managed") | ternary(awx_postgres_host + "." + ansible_operator_meta.namespace + ".svc.cluster.local", awx_postgres_host) }}'  # yamllint disable-line rule:line-length
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Set pg_dump command
   set_fact:
@@ -91,7 +91,8 @@
       -d {{ awx_postgres_database }}
       -p {{ awx_postgres_port }}
       -F custom
-  no_log: true
+      {{ pg_dump_suffix }}
+  no_log: "{{ no_log }}"
 
 - name: Write pg_dump to backup on PVC
   k8s_exec:
@@ -104,5 +105,5 @@
       echo 'Successful'
       """
   register: data_migration
-  no_log: true
+  no_log: "{{ no_log }}"
   failed_when: "'Successful' not in data_migration.stdout"

roles/backup/tasks/secrets.yml

@@ -1,11 +1,5 @@
 ---
 
-- name: Create Temporary secrets file
-  tempfile:
-    state: file
-    suffix: .json
-  register: tmp_secrets
-
 - name: Dump (generated) secret names from statuses and data into file
   include_tasks: dump_generated_secret.yml
   with_items:
@@ -23,6 +17,12 @@
     - bundle_cacert_secret
     - ee_pull_credentials_secret
 
+- name: Dump receptor secret names and data into file
+  include_tasks: dump_receptor_secrets.yml
+  loop:
+    - '{{ deployment_name }}-receptor-ca'
+    - '{{ deployment_name }}-receptor-work-signing'
+
 # image_pull_secret is deprecated in favor of image_pull_secrets
 - name: Dump image_pull_secret into file
   include_tasks: dump_secret.yml
@@ -39,12 +39,12 @@
 - name: Nest secrets under a single variable
   set_fact:
     secrets: {"secrets": '{{ secret_dict }}'}
-  no_log: true
+  no_log: "{{ no_log }}"
 
 - name: Write postgres configuration to pvc
-  k8s_exec:
+  k8s_cp:
     namespace: "{{ backup_pvc_namespace }}"
     pod: "{{ ansible_operator_meta.name }}-db-management"
-    command: >-
-      bash -c "echo '{{ secrets | to_yaml }}' > {{ backup_dir }}/secrets.yml"
-  no_log: true
+    remote_path: "{{ backup_dir }}/secrets.yml"
+    content: "{{ secrets | to_yaml }}"
+  no_log: "{{ no_log }}"

roles/backup/templates/backup_pvc.yml.j2

@@ -6,11 +6,7 @@ metadata:
   namespace: {{ backup_pvc_namespace }}
   ownerReferences: null
   labels:
-    app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
-    app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
-    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
-    app.kubernetes.io/component: '{{ deployment_type }}'
-    app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
+    {{ lookup("template", "../common/templates/labels/common.yaml.j2") | indent(width=4) | trim }}
 spec:
   accessModes:
     - ReadWriteOnce

roles/backup/templates/management-pod.yml.j2

@@ -5,11 +5,7 @@ metadata:
   name: {{ ansible_operator_meta.name }}-db-management
   namespace: {{ backup_pvc_namespace }}
   labels:
-    app.kubernetes.io/name: '{{ ansible_operator_meta.name }}'
-    app.kubernetes.io/part-of: '{{ ansible_operator_meta.name }}'
-    app.kubernetes.io/managed-by: '{{ deployment_type }}-operator'
-    app.kubernetes.io/component: '{{ deployment_type }}'
-    app.kubernetes.io/operator-version: '{{ lookup("env", "OPERATOR_VERSION") }}'
+    {{ lookup("template", "../common/templates/labels/common.yaml.j2") | indent(width=4) | trim }}
 spec:
   containers:
   - name: {{ ansible_operator_meta.name }}-db-management
@@ -20,6 +16,10 @@ spec:
     - name: {{ ansible_operator_meta.name }}-backup
       mountPath: /backups
       readOnly: false
+{% if backup_resource_requirements is defined %}
+    resources:
+      {{ backup_resource_requirements | to_nice_yaml(indent=2) | indent(width=6, first=False) }}
+{%- endif %}
   volumes:
     - name: {{ ansible_operator_meta.name }}-backup
       persistentVolumeClaim:

roles/backup/vars/main.yml

@@ -1,6 +1,7 @@
 ---
 deployment_type: "awx"
 _postgres_image: postgres
-_postgres_image_version: 12
+_postgres_image_version: 13
 backup_complete: false
 database_type: "unmanaged"
+supported_pg_version: 13

roles/common/defaults/main.yml

@@ -0,0 +1,8 @@
+---
+deployment_type: awx
+kind: 'AWX'
+api_version: '{{ deployment_type }}.ansible.com/v1beta1'
+
+# Used to determine some cluster specific logic regarding projects_persistence pvc permissions
+is_k8s: false
+is_openshift: false

roles/common/meta/main.yml

@@ -0,0 +1,32 @@
+---
+galaxy_info:
+  author: Ansible
+  description: AWX role for AWX Operator for Kubernetes.
+  company: Red Hat, Inc.
+
+  license: MIT
+
+  min_ansible_version: 2.8
+
+  platforms:
+    - name: EL
+      versions:
+        - all
+    - name: Debian
+      versions:
+        - all
+
+  galaxy_tags:
+    - tower
+    - awx
+    - ansible
+    - automation
+    - ci
+    - cd
+    - deployment
+
+dependencies: []
+
+collections:
+  - kubernetes.core
+  - operator_sdk.util